Jenkins Pipeline: Build Step Plugin 2.15 and earlier reveals password parameter default values when generating a pipeline script using the Pipeline Snippet Generator, allowing attackers with Item/Read permission to retrieve the default password parameter value from jobs.
Weakness
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Pipeline:_build_step | Jenkins | * | 2.15 (including) |
| Red Hat OpenShift Container Platform 3.11 | RedHat | jenkins-2-plugins-0:3.11.1650371376-1.el7 | * |
| Red Hat OpenShift Container Platform 4.10 | RedHat | jenkins-2-plugins-0:4.10.1647505461-1.el8 | * |
| Red Hat OpenShift Container Platform 4.6 | RedHat | jenkins-2-plugins-0:4.6.1650364520-1.el8 | * |
| Red Hat OpenShift Container Platform 4.7 | RedHat | jenkins-2-plugins-0:4.7.1648800585-1.el8 | * |
| Red Hat OpenShift Container Platform 4.8 | RedHat | jenkins-2-plugins-0:4.8.1646993358-1.el8 | * |
| Red Hat OpenShift Container Platform 4.9 | RedHat | jenkins-2-plugins-0:4.9.1647580879-1.el8 | * |
Potential Mitigations
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/102.html
- https://cwe.mitre.org/data/definitions/474.html
- https://cwe.mitre.org/data/definitions/50.html
- https://cwe.mitre.org/data/definitions/509.html
- https://cwe.mitre.org/data/definitions/551.html
- https://cwe.mitre.org/data/definitions/555.html
- https://cwe.mitre.org/data/definitions/560.html
- https://cwe.mitre.org/data/definitions/561.html
- https://cwe.mitre.org/data/definitions/600.html
- https://cwe.mitre.org/data/definitions/644.html
- https://cwe.mitre.org/data/definitions/645.html
- https://cwe.mitre.org/data/definitions/652.html
- https://cwe.mitre.org/data/definitions/653.html