2120945 – (CVE-2022-38663) CVE-2022-38663 jenkins-2-plugins/git: Improper masking of credentials in Git Plugin

Bug 2120945 (CVE-2022-38663) - CVE-2022-38663 jenkins-2-plugins/git: Improper masking of credentials in Git Plugin

Summary: CVE-2022-38663 jenkins-2-plugins/git: Improper masking of credentials in Git ...

Keywords:
Status:	NEW
Alias:	CVE-2022-38663
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2120946
TreeView+	depends on / blocked

Reported:	2022-08-24 05:35 UTC by Avinash Hanwate
Modified:	2023-07-07 08:28 UTC (History)
CC List:	2 users (show)
Fixed In Version:	Git Plugin 4.11.5
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in the Jenkins Git plugin. The Git Plugin does not properly mask the credentials in the build log provided by the Git Username and Password (gitUsernamePassword) credentials binding. Usernames are masked instead of passwords in cases when usernames are not set to be treated as secret.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Avinash Hanwate 2022-08-24 05:35:35 UTC

Jenkins Git Plugin 4.11.4 and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log provided by the Git Username and Password (`gitUsernamePassword`) credentials binding.

https://www.jenkins.io/security/advisory/2022-08-23/#SECURITY-2796

Note You need to log in before you can comment on or make changes to this bug.