GHSA-43j2-r4v3-m8jp

Source

https://github.com/advisories/GHSA-43j2-r4v3-m8jp

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-43j2-r4v3-m8jp/GHSA-43j2-r4v3-m8jp.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-43j2-r4v3-m8jp

Aliases

CVE-2020-2181

Published

2022-05-24T17:17:14Z

Modified

2024-02-16T08:16:08.885782Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Secrets are not masked by Jenkins Credentials Binding Plugin in builds without build steps

Details

Jenkins Credentials Binding Plugin 1.22 and earlier does not mask (i.e., replace with asterisks) secrets in the build log when the build contains no build steps.

Jenkins Credentials Binding Plugin 1.23 now masks secrets when the build contains no build steps.

Database specific

{
    "nvd_published_at": "2020-05-06T13:15:00Z",
    "github_reviewed_at": "2022-06-24T00:57:14Z",
    "github_reviewed": true,
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-522"
    ]
}

References

Affected packages

Maven / org.jenkins-ci.plugins:credentials-binding

Package

Name: org.jenkins-ci.plugins:credentials-binding; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.plugins/credentials-binding

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.23

Affected versions

1.*

1.0-beta-1

1.0

1.1

1.2

1.3

1.4

1.5

1.6

1.7

1.8

1.9

1.10

1.11

1.12

1.13

1.14

1.15

1.16

1.17

1.18

1.19

1.20

1.20.1

1.21

1.22

Database specific

{
    "last_known_affected_version_range": "<= 1.22"
}