CVE-2020-2182

Name of the Vulnerable Software and Affected Versions Jenkins Credentials Binding Plugin versions 1.22 and earlier

Description The issue concerns the masking of secrets in the Jenkins Credentials Binding Plugin. Secrets containing a $ character are not properly masked in certain circumstances, potentially exposing sensitive information. The plugin allows specifying passwords and other secrets as environment variables and normally hides them from console output in builds. However, due to the escaping of $ characters to $$ and their subsequent expansion, secrets are not masked when printed before value expansion in some build steps, such as the "Execute Maven top-level targets" step.

Recommendations For Jenkins Credentials Binding Plugin versions 1.22 and earlier, update to version 1.23 or later to ensure that secrets are properly masked, including those with escaped $ characters.