A flaw was found in Credentials Binding Jenkins plugin. Since Jenkins will try to resolve references to other environment variables in environment variables passed to a build, this can result in other values than the one specified being provided to a build. For example, the value p4$$w0rd would result in Jenkins passing on p4$w0rd, as $$ is the escape sequence for a single $.
Credentials Binding plugin does not prevent such a transformed value (e.g. p4$w0rd) from being shown on the build log, allowing users to reconstruct the actual password value from the transformed one.

This issue applies to freestyle and other classic job types, but does not apply to Pipelines.


References:
https://jenkins.io/security/advisory/2018-02-05/ [SECURITY-698 / CVE-2018-1000057]