Bug 1542718 (CVE-2018-1000057) - CVE-2018-1000057 jenkins-plugin-credentials-binding: improper masking of the secret provided to the build in rare circumstances
Summary: CVE-2018-1000057 jenkins-plugin-credentials-binding: improper masking of the ...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2018-1000057
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1542719
TreeView+ depends on / blocked
 
Reported: 2018-02-06 21:42 UTC by Laura Pardo
Modified: 2019-09-29 14:32 UTC (History)
7 users (show)

Fixed In Version: jenkins-plugin-credentials-binding 1.15
Clone Of:
Environment:
Last Closed: 2018-02-16 03:13:02 UTC
Embargoed:

Attachments (Terms of Use)

Description Laura Pardo 2018-02-06 21:42:57 UTC 
A flaw was found in Credentials Binding Jenkins plugin. Since Jenkins will try to resolve references to other environment variables in environment variables passed to a build, this can result in other values than the one specified being provided to a build. For example, the value p4$$w0rd would result in Jenkins passing on p4$w0rd, as $$ is the escape sequence for a single $.
Credentials Binding plugin does not prevent such a transformed value (e.g. p4$w0rd) from being shown on the build log, allowing users to reconstruct the actual password value from the transformed one.

This issue applies to freestyle and other classic job types, but does not apply to Pipelines.


References:
https://jenkins.io/security/advisory/2018-02-05/ [SECURITY-698 / CVE-2018-1000057]
Note You need to log in before you can comment on or make changes to this bug.