Jenkins Credentials Binding Plugin 1.22 and earlier does not mask (i.e., replace with asterisks) secrets in the build log when the build contains no build steps.
org.jenkins-ci.plugins:credentials
{ "last_known_affected_version_range": "<= 1.22" }