4.3

CVSS Score

3.0

Basic Information

CVE ID

CVE-2018-1000057

GHSA ID

GHSA-38xm-xhvj-q2qf

EPSS Score

0.06877%

CWE

CWE-522

Published

5/13/2022

Updated

12/28/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2018-1000057

CVE-2018-1000057: Jenkins Credentials Binding Plugin has Insufficiently Protected Credentials

Jenkins Credentials Binding plugin allows specifying passwords and other secrets as environment variables, and will hide them from console output in builds.

However, since Jenkins will try to resolve references to other environment variables in environment variables passed to a build, this can result in values other than the one specified being provided to a build. For example, the value p4$$w0rd would result in Jenkins passing on p4$w0rd, as $$ is the escape sequence for a single $.

Credentials Binding plugin does not prevent such a transformed value (e.g. p4$w0rd) from being shown on the build log, allowing users to reconstruct the actual password value from the transformed one.

Credentials Binding plugin will now escape any $ characters in password values so they are correctly passed to the build.

This issue did apply to freestyle and other classic job types, but does not apply to Pipelines.

(GitHub Advisory)

4.3

CVSS Score

3.0

Basic Information

CVE ID

CVE-2018-1000057

GHSA ID

GHSA-38xm-xhvj-q2qf

EPSS Score

0.06877%

CWE

CWE-522

Published

5/13/2022

Updated

12/28/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.plugins:credentials-binding	maven	< 1.15	1.15

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from how environment variables containing credentials were processed. The original code in SecretBuildWrapper.java used env.putAll(e.getValues()) which failed to handle '$' characters in credential values. Since Jenkins interprets '$$' as a single '$', credentials containing '$' would be transformed and potentially exposed in logs. The patched commit specifically modifies this method to apply pair.getValue().replace("$", "$$$$"), demonstrating this was the vulnerable code path. The test case changes confirm the scenario involved '$' handling in credentials.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins *r***nti*ls *in*in* plu*in *llows sp**i*yin* p*sswor*s *n* ot**r s**r*ts *s *nvironm*nt v*ri**l*s, *n* will *i** t**m *rom *onsol* output in *uil*s. *ow*v*r, sin** J*nkins will try to r*solv* r***r*n**s to ot**r *nvironm*nt v*ri**l*s in *nvi

Reasoning

T** vuln*r**ility st*mm** *rom *ow *nvironm*nt v*ri**l*s *ont*inin* *r***nti*ls w*r* pro**ss**. T** ori*in*l *o** in `S**r*t*uil*Wr*pp*r.j*v*` us** `*nv.put*ll(*.**tV*lu*s())` w*i** **il** to **n*l* '$' ***r**t*rs in *r***nti*l v*lu*s. Sin** J*nkins

4.3

Basic Information

Concerned about an active attack path?

CVE-2018-1000057: Jenkins Credentials Binding Plugin has Insufficiently Protected Credentials

4.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI