本頁列出影響 jenkins credentials_binding 的已公開 CVE 漏洞(透過 NVD CPE 關聯)。每列包含嚴重程度評分、摘要與發布日期,便於識別與分析安全議題。
| CVE | 摘要 | 來源 | 最高 CVSS | EPSS % | 公開時間 | 更新時間 |
|---|---|---|---|---|---|---|
| CVE-2026-48922 | Jenkins Credentials Binding Plugin 720.v3f6decef43ea_ and earlier does not properly sanitize file names for file and zip file credentials, allowing attackers able to provide credentials to a job to write files to arbitrary locations on the node filesystem, which can lead to remote code execution if Jenkins is configured to allow a low-privileged user to configure file or zip file credentials used for a job running on the built-in node. | [email protected] | 7.5 | 0.36% | 2026-05-27 | 2026-06-17 |
| CVE-2026-42520 | Jenkins Credentials Binding Plugin 719.v80e905ef14eb_ and earlier does not sanitize file names for file and zip file credentials, allowing attackers able to provide credentials to a job to write files to arbitrary locations on the node filesystem, which can lead to remote code execution if Jenkins is configured to allow a low-privileged user to configure file or zip file credentials used for a job running on the built-in node. | [email protected] | 7.5 | 0.41% | 2026-04-29 | 2026-06-17 |
| CVE-2025-53650 | Jenkins Credentials Binding Plugin 687.v619cb_15e923f and earlier does not properly mask (i.e., replace with asterisks) credentials present in exception error messages that are written to the build log. | [email protected] | 7.3 | 0.32% | 2025-07-09 | 2026-06-17 |
| CVE-2022-20616 | Jenkins Credentials Binding Plugin 1.27 and earlier does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read access to validate if a credential ID refers to a secret file credential and whether it's a zip file. | [email protected] | 4.3 | 0.85% | 2022-01-12 | 2026-06-17 |
| CVE-2020-2182 | Jenkins Credentials Binding Plugin 1.22 and earlier does not mask (i.e., replace with asterisks) secrets containing a `$` character in some circumstances. | [email protected] | 4.3 | 0.87% | 2020-05-06 | 2026-06-16 |
| CVE-2020-2181 | Jenkins Credentials Binding Plugin 1.22 and earlier does not mask (i.e., replace with asterisks) secrets in the build log when the build contains no build steps. | [email protected] | 6.5 | 1.08% | 2020-05-06 | 2026-06-16 |
| CVE-2019-1010241 | Jenkins Credentials Binding Plugin Jenkins 1.17 is affected by: CWE-257: Storing Passwords in a Recoverable Format. The impact is: Authenticated users can recover credentials. The component is: config-variables.jelly line #30 (passwordVariable). The attack vector is: Attacker creates and executes a Jenkins job. | [email protected] | 6.5 | 1.47% | 2019-07-19 | 2026-06-16 |
| CVE-2018-1000057 | Jenkins Credentials Binding Plugin 1.14 and earlier masks passwords it provides to build processes in their build logs. Jenkins however transforms provided password values, e.g. replacing environment variable references, which could result in values different from but similar to configured passwords being provided to the build. Those values are not subject to masking, and could allow unauthorized users to recover the original password. | [email protected] | 4.3 | 0.68% | 2018-02-09 | 2026-06-16 |