CVE-2018-1000057: Insufficiently Protected Credentials

May 13, 2022 (updated December 28, 2023)

Jenkins Credentials Binding Plugin 1.14 and earlier masks passwords it provides to build processes in their build logs. Jenkins however transforms provided password values, e.g. replacing environment variable references, which could result in values different from but similar to configured passwords being provided to the build. Those values are not subject to masking, and could allow unauthorized users to recover the original password.

References

github.com/advisories/GHSA-38xm-xhvj-q2qf
github.com/jenkinsci/credentials-binding-plugin/commit/0c75238933365aa52b26b7c73fd1f742bfaca9b1
jenkins.io/security/advisory/2018-02-05/
nvd.nist.gov/vuln/detail/CVE-2018-1000057

Detect and mitigate CVE-2018-1000057 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →