Bug 1542718 (CVE-2018-1000057)

Summary: CVE-2018-1000057 jenkins-plugin-credentials-binding: improper masking of the secret provided to the build in rare circumstances
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bleanhar, ccoleman, dedgar, dmcphers, jgoulding, jkeck, kseifried
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: jenkins-plugin-credentials-binding 1.15 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-02-16 03:13:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1542719    

Description Laura Pardo 2018-02-06 21:42:57 UTC 
A flaw was found in Credentials Binding Jenkins plugin. Since Jenkins will try to resolve references to other environment variables in environment variables passed to a build, this can result in other values than the one specified being provided to a build. For example, the value p4$$w0rd would result in Jenkins passing on p4$w0rd, as $$ is the escape sequence for a single $.
Credentials Binding plugin does not prevent such a transformed value (e.g. p4$w0rd) from being shown on the build log, allowing users to reconstruct the actual password value from the transformed one.

This issue applies to freestyle and other classic job types, but does not apply to Pipelines.


References:
https://jenkins.io/security/advisory/2018-02-05/ [SECURITY-698 / CVE-2018-1000057]