Jenkins Pipeline: Build Step Plugin 2.15 and earlier reveals password parameter default values when generating a pipeline script using the Pipeline Snippet Generator, allowing attackers with Item/Read permission to retrieve the default password parameter value from jobs.
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Pipeline:_build_step | Jenkins | * | 2.15 (including) |
| Red Hat OpenShift Container Platform 3.11 | RedHat | jenkins-2-plugins-0:3.11.1650371376-1.el7 | * |
| Red Hat OpenShift Container Platform 4.10 | RedHat | jenkins-2-plugins-0:4.10.1647505461-1.el8 | * |
| Red Hat OpenShift Container Platform 4.6 | RedHat | jenkins-2-plugins-0:4.6.1650364520-1.el8 | * |
| Red Hat OpenShift Container Platform 4.7 | RedHat | jenkins-2-plugins-0:4.7.1648800585-1.el8 | * |
| Red Hat OpenShift Container Platform 4.8 | RedHat | jenkins-2-plugins-0:4.8.1646993358-1.el8 | * |
| Red Hat OpenShift Container Platform 4.9 | RedHat | jenkins-2-plugins-0:4.9.1647580879-1.el8 | * |