Miggo Logo

CVE-2018-1000057: Jenkins Credentials Binding Plugin has Insufficiently Protected Credentials

4.3

CVSS Score
3.0

Basic Information

EPSS Score
0.06877%
Published
5/13/2022
Updated
12/28/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:credentials-bindingmaven< 1.151.15

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from how environment variables containing credentials were processed. The original code in SecretBuildWrapper.java used env.putAll(e.getValues()) which failed to handle '$' characters in credential values. Since Jenkins interprets '$$' as a single '$', credentials containing '$' would be transformed and potentially exposed in logs. The patched commit specifically modifies this method to apply pair.getValue().replace("$", "$$$$"), demonstrating this was the vulnerable code path. The test case changes confirm the scenario involved '$' handling in credentials.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins *r***nti*ls *in*in* plu*in *llows sp**i*yin* p*sswor*s *n* ot**r s**r*ts *s *nvironm*nt v*ri**l*s, *n* will *i** t**m *rom *onsol* output in *uil*s. *ow*v*r, sin** J*nkins will try to r*solv* r***r*n**s to ot**r *nvironm*nt v*ri**l*s in *nvi

Reasoning

T** vuln*r**ility st*mm** *rom *ow *nvironm*nt v*ri**l*s *ont*inin* *r***nti*ls w*r* pro**ss**. T** ori*in*l *o** in `S**r*t*uil*Wr*pp*r.j*v*` us** `*nv.put*ll(*.**tV*lu*s())` w*i** **il** to **n*l* '$' ***r**t*rs in *r***nti*l v*lu*s. Sin** J*nkins