What is the severity of CVE-2020-2181?

CVE-2020-2181 has a low severity rating due to the lack of risk involved in exposure.

How do I fix CVE-2020-2181?

To fix CVE-2020-2181, upgrade the Jenkins Credentials Binding Plugin to version 1.23 or later.

What systems are affected by CVE-2020-2181?

CVE-2020-2181 affects all versions of the Jenkins Credentials Binding Plugin prior to version 1.23.

What happens if I don’t address CVE-2020-2181?

Ignoring CVE-2020-2181 could lead to sensitive information leakage in build logs under specific circumstances.

Are there workarounds for CVE-2020-2181?

There are no official workarounds for CVE-2020-2181; updating to the latest version is recommended.

Vulnerability/
CVE-2020-2181

medium

6.5

CWE

522 200

6/5/2020

24/5/2022

4/8/2024

CVE-2020-2181: Infoleak

First published: Wed May 06 2020(Updated: )

A vulnerability was found in Jenkins Credentials Binding Plugin 1.22 and earlier does not mask (i.e., replace with asterisks) secrets in the build log when the build contains no build steps. Reference: <a href="http://www.openwall.com/lists/oss-security/2020/05/06/3">http://www.openwall.com/lists/oss-security/2020/05/06/3</a>

Credit: jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

What is the severity of CVE-2020-2181?
CVE-2020-2181 has a low severity rating due to the lack of risk involved in exposure.
How do I fix CVE-2020-2181?
To fix CVE-2020-2181, upgrade the Jenkins Credentials Binding Plugin to version 1.23 or later.
What systems are affected by CVE-2020-2181?
CVE-2020-2181 affects all versions of the Jenkins Credentials Binding Plugin prior to version 1.23.
What happens if I don’t address CVE-2020-2181?
Ignoring CVE-2020-2181 could lead to sensitive information leakage in build logs under specific circumstances.
Are there workarounds for CVE-2020-2181?
There are no official workarounds for CVE-2020-2181; updating to the latest version is recommended.

collector/redhat-cve
collector/nvd-index
collector/nvd-api
collector/nvd-cve
collector/github-advisory-latest
alias/GHSA-43j2-r4v3-m8jp
alias/CVE-2020-2181
collector/github-advisory
agent/type
agent/softwarecombine
agent/first-publish-date
agent/severity
agent/author
agent/weakness
agent/references
collector/redhat-bugzilla
source/Red Hat
agent/software-canonical-lookup
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/description
agent/event
agent/trending
agent/tags
agent/source
package-manager/redhat
vendor/jenkins
canonical/jenkins credentials binding
version/jenkins credentials binding/1.22
package-manager/maven

CVE-2020-2181: Infoleak

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

Frequently Asked Questions

What is the severity of CVE-2020-2181?

How do I fix CVE-2020-2181?

What systems are affected by CVE-2020-2181?

What happens if I don’t address CVE-2020-2181?

Are there workarounds for CVE-2020-2181?

Company

Resources

Contact

Frequently Asked Questions

What is the severity of CVE-2020-2181?

How do I fix CVE-2020-2181?

What systems are affected by CVE-2020-2181?

What happens if I don’t address CVE-2020-2181?

Are there workarounds for CVE-2020-2181?

Affected Software	Affected Version	How to fix
redhat/jenkins-credential-binding-plugin	<1.23	1.23
redhat/atomic-enterprise-service-catalog	<1:3.11.248-1.git.1.9aad2ef.el7	1:3.11.248-1.git.1.9aad2ef.el7
redhat/atomic-openshift-cluster-autoscaler	<0:3.11.248-1.git.1.b5530f6.el7	0:3.11.248-1.git.1.b5530f6.el7
redhat/atomic-openshift-descheduler	<0:3.11.248-1.git.1.108ef32.el7	0:3.11.248-1.git.1.108ef32.el7
redhat/atomic-openshift-dockerregistry	<0:3.11.248-1.git.1.bb4a1fc.el7	0:3.11.248-1.git.1.bb4a1fc.el7
redhat/atomic-openshift-metrics-server	<0:3.11.248-1.git.1.b53e0e3.el7	0:3.11.248-1.git.1.b53e0e3.el7
redhat/atomic-openshift-node-problem-detector	<0:3.11.248-1.git.1.628ff22.el7	0:3.11.248-1.git.1.628ff22.el7
redhat/atomic-openshift-service-idler	<0:3.11.248-1.git.1.4c42a90.el7	0:3.11.248-1.git.1.4c42a90.el7
redhat/golang-github-openshift-oauth-proxy	<0:3.11.248-1.git.1.9885abb.el7	0:3.11.248-1.git.1.9885abb.el7
redhat/golang-github-prometheus-alertmanager	<0:3.11.248-1.git.1.66abd18.el7	0:3.11.248-1.git.1.66abd18.el7
redhat/golang-github-prometheus-prometheus	<0:3.11.248-1.git.1.ad54f5b.el7	0:3.11.248-1.git.1.ad54f5b.el7
redhat/jenkins	<2-plugins-0:3.11.1593081747-1.el7	2-plugins-0:3.11.1593081747-1.el7
redhat/openshift-ansible	<0:3.11.248-1.git.0.fd212c7.el7	0:3.11.248-1.git.0.fd212c7.el7
redhat/openshift-enterprise-autoheal	<0:3.11.248-1.git.1.0020348.el7	0:3.11.248-1.git.1.0020348.el7
redhat/openshift-enterprise-cluster-capacity	<0:3.11.248-1.git.1.37b107c.el7	0:3.11.248-1.git.1.37b107c.el7
redhat/openshift-kuryr	<0:3.11.248-1.git.1.f90c804.el7	0:3.11.248-1.git.1.f90c804.el7
redhat/python-urllib3	<0:1.24.3-1.el7	0:1.24.3-1.el7
redhat/jenkins	<2-plugins-0:4.3.1601981312-1.el7	2-plugins-0:4.3.1601981312-1.el7
redhat/jenkins	<2-plugins-0:4.4.1598545590-1.el7	2-plugins-0:4.4.1598545590-1.el7
redhat/jenkins	<2-plugins-0:4.5.1596698303-1.el7	2-plugins-0:4.5.1596698303-1.el7
Jenkins Credentials Binding	<=1.22
maven/org.jenkins-ci.plugins:credentials-binding	<=1.22	1.23