CVE-2020-2182
First published: Wed May 06 2020(Updated: )
A vulnerability was found in Jenkins Credentials Binding Plugin 1.22 and earlier does not mask (i.e., replace with asterisks) secrets containing a `$` character in some circumstances. Reference: <a href="http://www.openwall.com/lists/oss-security/2020/05/06/3">http://www.openwall.com/lists/oss-security/2020/05/06/3</a>
Credit: jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/jenkins-credential-binding-plugin | <1.23 | 1.23 |
| redhat/atomic-enterprise-service-catalog | <1:3.11.248-1.git.1.9aad2ef.el7 | 1:3.11.248-1.git.1.9aad2ef.el7 |
| redhat/atomic-openshift-cluster-autoscaler | <0:3.11.248-1.git.1.b5530f6.el7 | 0:3.11.248-1.git.1.b5530f6.el7 |
| redhat/atomic-openshift-descheduler | <0:3.11.248-1.git.1.108ef32.el7 | 0:3.11.248-1.git.1.108ef32.el7 |
| redhat/atomic-openshift-dockerregistry | <0:3.11.248-1.git.1.bb4a1fc.el7 | 0:3.11.248-1.git.1.bb4a1fc.el7 |
| redhat/atomic-openshift-metrics-server | <0:3.11.248-1.git.1.b53e0e3.el7 | 0:3.11.248-1.git.1.b53e0e3.el7 |
| redhat/atomic-openshift-node-problem-detector | <0:3.11.248-1.git.1.628ff22.el7 | 0:3.11.248-1.git.1.628ff22.el7 |
| redhat/atomic-openshift-service-idler | <0:3.11.248-1.git.1.4c42a90.el7 | 0:3.11.248-1.git.1.4c42a90.el7 |
| redhat/golang-github-openshift-oauth-proxy | <0:3.11.248-1.git.1.9885abb.el7 | 0:3.11.248-1.git.1.9885abb.el7 |
| redhat/golang-github-prometheus-alertmanager | <0:3.11.248-1.git.1.66abd18.el7 | 0:3.11.248-1.git.1.66abd18.el7 |
| redhat/golang-github-prometheus-prometheus | <0:3.11.248-1.git.1.ad54f5b.el7 | 0:3.11.248-1.git.1.ad54f5b.el7 |
| redhat/jenkins | <2-plugins-0:3.11.1593081747-1.el7 | 2-plugins-0:3.11.1593081747-1.el7 |
| redhat/openshift-ansible | <0:3.11.248-1.git.0.fd212c7.el7 | 0:3.11.248-1.git.0.fd212c7.el7 |
| redhat/openshift-enterprise-autoheal | <0:3.11.248-1.git.1.0020348.el7 | 0:3.11.248-1.git.1.0020348.el7 |
| redhat/openshift-enterprise-cluster-capacity | <0:3.11.248-1.git.1.37b107c.el7 | 0:3.11.248-1.git.1.37b107c.el7 |
| redhat/openshift-kuryr | <0:3.11.248-1.git.1.f90c804.el7 | 0:3.11.248-1.git.1.f90c804.el7 |
| redhat/python-urllib3 | <0:1.24.3-1.el7 | 0:1.24.3-1.el7 |
| redhat/jenkins | <2-plugins-0:4.3.1601981312-1.el7 | 2-plugins-0:4.3.1601981312-1.el7 |
| redhat/jenkins | <2-plugins-0:4.4.1598545590-1.el7 | 2-plugins-0:4.4.1598545590-1.el7 |
| redhat/jenkins | <2-plugins-0:4.5.1596698303-1.el7 | 2-plugins-0:4.5.1596698303-1.el7 |
| Jenkins Credentials Binding | <=1.22 | |
| maven/org.jenkins-ci.plugins:credentials-binding | <=1.22 | 1.23 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2020-2182
- https://jenkins.io/security/advisory/2020-05-06/#SECURITY-1835
- http://www.openwall.com/lists/oss-security/2020/05/06/3
- https://github.com/jenkinsci/credentials-binding-plugin/commit/77681e0d184b0ccafa2a27da3b3bdbba95b4fe8f
- https://github.com/advisories/GHSA-7ff8-qfwx-8gx5 (Advisory)
- https://access.redhat.com/errata/RHSA-2020:3625
- https://access.redhat.com/security/cve/cve-2020-2182
- https://access.redhat.com/errata/RHSA-2020:4265
- https://bugzilla.redhat.com/show_bug.cgi?id=1847348
- https://www.cve.org/CVERecord?id=CVE-2020-2182 https://nvd.nist.gov/vuln/detail/CVE-2020-2182 https://jenkins.io/security/advisory/2020-05-06/#SECURITY-1835
- https://access.redhat.com/errata/RHBA-2020:2990
- https://access.redhat.com/errata/RHSA-2020:3453
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the severity of CVE-2020-2182?
The severity of CVE-2020-2182 is classified as medium.
How do I fix CVE-2020-2182?
To fix CVE-2020-2182, update the Jenkins Credentials Binding Plugin to version 1.23 or later.
What products are affected by CVE-2020-2182?
CVE-2020-2182 affects Jenkins Credentials Binding Plugin version 1.22 and earlier.
What does CVE-2020-2182 vulnerability affect specifically?
CVE-2020-2182 particularly affects secret masking for credentials that contain a '$' character.
Is there a workaround for CVE-2020-2182?
There is no documented workaround for CVE-2020-2182; updating the plugin is the recommended action.
- collector/redhat-cve
- collector/nvd-index
- collector/nvd-api
- collector/github-advisory-latest
- alias/GHSA-7ff8-qfwx-8gx5
- alias/CVE-2020-2182
- collector/nvd-cve
- collector/github-advisory
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- agent/author
- agent/severity
- agent/references
- agent/weakness
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/description
- agent/event
- agent/trending
- agent/tags
- agent/source
- package-manager/redhat
- vendor/jenkins
- canonical/jenkins credentials binding
- version/jenkins credentials binding/1.22
- package-manager/maven