VYPR
← All advisories
Moderate severityNVD Advisory· Published Feb 15, 2022· Updated Aug 3, 2024

CVE-2022-25180

CVE-2022-25180

Description

Jenkins Pipeline: Groovy Plugin 2648.va9433432b33c and earlier includes password parameters from the original build in replayed builds, allowing attackers with Run/Replay permission to obtain the values of password parameters passed to previous builds of a Pipeline.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Jenkins Pipeline: Groovy Plugin leaks password parameters to replay builds, allowing attackers with Run/Replay permission to steal passwords.

Vulnerability

Jenkins Pipeline: Groovy Plugin version 2648.va9433432b33c and earlier includes password parameters from the original build in replayed builds. This occurs when a user with Run/Replay permission replays a build that previously used password parameters, exposing those secrets in the replay parameters. [1][2]

Exploitation

An attacker with Run/Replay permission on a Pipeline job can replay any previous build. If the original build included password parameters, the attacker can view those same parameters (including their plaintext values) in the replay dialog, thereby obtaining the credentials. [1]

Impact

The attacker gains the plaintext values of password parameters used in prior builds of the Pipeline. This can lead to unauthorized access to systems or services protected by these passwords, potentially compromising sensitive data or infrastructure. [1][2]

Mitigation

Upgrade to Pipeline: Groovy Plugin version 2656.vf7a_e7b_75a_457 or later, which prevents replay if password parameters are present (as shown in the commit [3]). No other workaround is available. [1]

References
  1. Jenkins Security Advisory 2022-02-15
  2. NVD - CVE-2022-25180
  3. [SECURITY-2443] · jenkinsci/workflow-cps-plugin@886676e

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.jenkins-ci.plugins.workflow:workflow-cpsMaven
< 2656.vf7a_e7b_75a_4572656.vf7a_e7b_75a_457

Affected products

2

Patches

1
886676efdd71

[SECURITY-2443]

https://github.com/jenkinsci/workflow-cps-pluginYaroslav AfenkinFeb 9, 2022via ghsa
commit
2 files changed · +30 0
  • src/main/java/org/jenkinsci/plugins/workflow/cps/replay/ReplayAction.java+12 0 modified
    @@ -35,8 +35,10 @@
 import hudson.model.Action;
 import hudson.model.Cause;
 import hudson.model.CauseAction;
+import hudson.model.Failure;
 import hudson.model.Item;
 import hudson.model.ParametersAction;
+import hudson.model.PasswordParameterValue;
 import hudson.model.Queue;
 import hudson.model.Run;
 import hudson.model.queue.QueueTaskFuture;
@@ -262,12 +264,22 @@ public void doRebuild(StaplerRequest req, StaplerResponse rsp) throws ServletExc
         }
         actions.add(new ReplayFlowFactoryAction(replacementMainScript, replacementLoadedScripts, execution.isSandbox()));
         actions.add(new CauseAction(new Cause.UserIdCause(), new ReplayCause(run)));
+
+        if (hasPasswordParameter(this.run)) {
+            throw new Failure("Replay is not allowed when password parameters are used.");
+        }
+
         for (Class<? extends Action> c : COPIED_ACTIONS) {
             actions.addAll(run.getActions(c));
         }
         return ParameterizedJobMixIn.scheduleBuild2(run.getParent(), 0, actions.toArray(new Action[actions.size()]));
     }
 
+    private boolean hasPasswordParameter(Run run) {
+        ParametersAction pa = run.getAction(ParametersAction.class);
+        return pa != null && pa.getParameters().stream().anyMatch(PasswordParameterValue.class::isInstance);
+    }
+
     /**
      * Finds a set of Groovy class names which are eligible for replacement.
      * @param execution the associated execution
  • src/test/java/org/jenkinsci/plugins/workflow/cps/replay/ReplayActionTest.java+18 0 modified
    @@ -33,9 +33,12 @@
 import hudson.cli.CLICommandInvoker;
 import hudson.init.InitMilestone;
 import hudson.init.Initializer;
+import hudson.model.Failure;
 import hudson.model.Item;
 import hudson.model.ParametersAction;
 import hudson.model.ParametersDefinitionProperty;
+import hudson.model.PasswordParameterDefinition;
+import hudson.model.PasswordParameterValue;
 import hudson.model.Run;
 import hudson.model.StringParameterDefinition;
 import hudson.model.StringParameterValue;
@@ -135,6 +138,21 @@ public class ReplayActionTest {
         });
     }
 
+    @Issue("SECURITY-2443")
+    @Test public void withPasswordParameter() {
+        story.then(r -> {
+            WorkflowJob p = story.j.jenkins.createProject(WorkflowJob.class, "p");
+            p.addProperty(new ParametersDefinitionProperty(new PasswordParameterDefinition("passwordParam", "top secret", "")));
+            p.setDefinition(new CpsFlowDefinition("echo(/passwordParam: ${passwordParam}/)", true));
+            WorkflowRun run1 = story.j.assertBuildStatusSuccess(p.scheduleBuild2(0,
+                    new ParametersAction(new PasswordParameterValue("passwordParam", "confidential"))));
+
+            // When we replay a build with password parameter it should fail with access denied exception.
+            assertThrows(Failure.class,
+                    () -> run1.getAction(ReplayAction.class).run("echo(/Replaying passwordParam: ${passwordParam}/)", Collections.emptyMap()).get());
+        });
+    }
+
     @Issue("JENKINS-50784")
     @Test public void lazyLoadExecutionStillReplayable() throws Exception {
         story.then( r-> {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

1