First published: Wed May 06 2020(Updated: )
A vulnerability was found in Jenkins Credentials Binding Plugin 1.22 and earlier does not mask (i.e., replace with asterisks) secrets containing a `$` character in some circumstances. Reference: <a href="http://www.openwall.com/lists/oss-security/2020/05/06/3">http://www.openwall.com/lists/oss-security/2020/05/06/3</a>
Credit: jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/jenkins-credential-binding-plugin | <1.23 | 1.23 |
redhat/atomic-enterprise-service-catalog | <1:3.11.248-1.git.1.9aad2ef.el7 | 1:3.11.248-1.git.1.9aad2ef.el7 |
redhat/atomic-openshift-cluster-autoscaler | <0:3.11.248-1.git.1.b5530f6.el7 | 0:3.11.248-1.git.1.b5530f6.el7 |
redhat/atomic-openshift-descheduler | <0:3.11.248-1.git.1.108ef32.el7 | 0:3.11.248-1.git.1.108ef32.el7 |
redhat/atomic-openshift-dockerregistry | <0:3.11.248-1.git.1.bb4a1fc.el7 | 0:3.11.248-1.git.1.bb4a1fc.el7 |
redhat/atomic-openshift-metrics-server | <0:3.11.248-1.git.1.b53e0e3.el7 | 0:3.11.248-1.git.1.b53e0e3.el7 |
redhat/atomic-openshift-node-problem-detector | <0:3.11.248-1.git.1.628ff22.el7 | 0:3.11.248-1.git.1.628ff22.el7 |
redhat/atomic-openshift-service-idler | <0:3.11.248-1.git.1.4c42a90.el7 | 0:3.11.248-1.git.1.4c42a90.el7 |
redhat/golang-github-openshift-oauth-proxy | <0:3.11.248-1.git.1.9885abb.el7 | 0:3.11.248-1.git.1.9885abb.el7 |
redhat/golang-github-prometheus-alertmanager | <0:3.11.248-1.git.1.66abd18.el7 | 0:3.11.248-1.git.1.66abd18.el7 |
redhat/golang-github-prometheus-prometheus | <0:3.11.248-1.git.1.ad54f5b.el7 | 0:3.11.248-1.git.1.ad54f5b.el7 |
redhat/jenkins | <2-plugins-0:3.11.1593081747-1.el7 | 2-plugins-0:3.11.1593081747-1.el7 |
redhat/openshift-ansible | <0:3.11.248-1.git.0.fd212c7.el7 | 0:3.11.248-1.git.0.fd212c7.el7 |
redhat/openshift-enterprise-autoheal | <0:3.11.248-1.git.1.0020348.el7 | 0:3.11.248-1.git.1.0020348.el7 |
redhat/openshift-enterprise-cluster-capacity | <0:3.11.248-1.git.1.37b107c.el7 | 0:3.11.248-1.git.1.37b107c.el7 |
redhat/openshift-kuryr | <0:3.11.248-1.git.1.f90c804.el7 | 0:3.11.248-1.git.1.f90c804.el7 |
redhat/python-urllib3 | <0:1.24.3-1.el7 | 0:1.24.3-1.el7 |
redhat/jenkins | <2-plugins-0:4.3.1601981312-1.el7 | 2-plugins-0:4.3.1601981312-1.el7 |
redhat/jenkins | <2-plugins-0:4.4.1598545590-1.el7 | 2-plugins-0:4.4.1598545590-1.el7 |
redhat/jenkins | <2-plugins-0:4.5.1596698303-1.el7 | 2-plugins-0:4.5.1596698303-1.el7 |
Jenkins Credentials Binding | <=1.22 | |
maven/org.jenkins-ci.plugins:credentials-binding | <=1.22 | 1.23 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)