CVE-2018-1000057

Name of the Vulnerable Software and Affected Versions: Jenkins Credentials Binding Plugin version 1.14 and earlier

Description: The issue allows unauthorized users to recover original passwords due to Jenkins transforming provided password values, such as replacing environment variable references, which could result in unmasked values being provided to the build. For example, the value p4$$w0rd would be passed on as p4$w0rd because $$ is the escape sequence for a single $. This could enable users to reconstruct the actual password value from the transformed one. The issue affects freestyle and other classic job types but does not apply to Pipelines.

Recommendations: For Jenkins Credentials Binding Plugin version 1.14 and earlier, update the plugin to a version that escapes any $ characters in password values to prevent transformed values from being shown in the build log.