Moderate severityNVD Advisory· Published Aug 23, 2022· Updated Aug 3, 2024

CVE-2022-38663

Description

Jenkins Git Plugin 4.11.4 and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log provided by the Git Username and Password (gitUsernamePassword) credentials binding.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Jenkins Git Plugin 4.11.4 and earlier fails to properly mask credentials in build logs, exposing passwords instead of usernames when using gitUsernamePassword credentials binding.

Vulnerability

Details

Jenkins Git Plugin 4.11.4 and earlier does not properly mask credentials in the build log when using the Git Username and Password (gitUsernamePassword) credentials binding. Specifically, usernames are masked instead of passwords in cases where usernames are not set to be treated as secret [1][2][3]. This means that the actual password is printed in plain text in the build log, while the username is replaced with asterisks.

Exploitation

An attacker with access to Jenkins build logs (e.g., users with Job/Read permission or anyone who can view build console output) can retrieve the plaintext password for the Git credentials used in a job. No special network position or authentication bypass is required beyond existing log access [3]. The vulnerability is triggered automatically when a pipeline or freestyle job uses the gitUsernamePassword binding.

Impact

Successful exploitation leads to exposure of Git credentials, which could allow an attacker to gain unauthorized access to the configured Git repositories, potentially leading to code theft, supply chain attacks, or further lateral movement within the infrastructure [3][4].

Mitigation

The issue is fixed in Git Plugin 4.11.5, which properly masks passwords in the build log. As a side effect of the fix, usernames currently set to be not masked will lose their current (unintentional) masking [3][4]. Users are advised to upgrade to the latest version. No workarounds are mentioned; restricting access to build logs can reduce risk but does not address the underlying vulnerability.

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.jenkins-ci.plugins:gitMaven	< 4.11.5	4.11.5

Affected products

ghsa-coords
pkg:maven/org.jenkins-ci.plugins/git
Range: < 4.11.5
Jenkins project/Jenkins Git Pluginv5
Range: unspecified

Patches

3241db9cc696

SECURITY-2796

https://github.com/jenkinsci/git-pluginRaul ArabaolazaAug 12, 2022via ghsa

commit

2 files changed · +17 −2

src/main/java/jenkins/plugins/git/GitUsernamePasswordBinding.java+1 −1 modified

@@ -96,7 +96,7 @@ public Set<String> variables(@NonNull Run<?, ?> build) {
     }
 
     @Override
-    public void setCredentialPairBindings(@NonNull StandardCredentials credentials,Map<String,String> publicValues, Map<String,String> secretValues) {
+    public void setCredentialPairBindings(@NonNull StandardCredentials credentials, Map<String,String> secretValues, Map<String,String> publicValues) {
         StandardUsernamePasswordCredentials usernamePasswordCredentials = (StandardUsernamePasswordCredentials) credentials;
         if(usernamePasswordCredentials.isUsernameSecret()){
             secretValues.put(GIT_USERNAME_KEY, usernamePasswordCredentials.getUsername());

src/test/java/jenkins/plugins/git/GitUsernamePasswordBindingTest.java+16 −1 modified

@@ -27,11 +27,13 @@
 import org.jenkinsci.plugins.workflow.job.WorkflowJob;
 import org.jenkinsci.plugins.workflow.job.WorkflowRun;
 import org.junit.Before;
+import org.junit.ClassRule;
 import org.junit.Rule;
 import org.junit.Test;
 import org.junit.rules.TemporaryFolder;
 import org.junit.runner.RunWith;
 import org.junit.runners.Parameterized;
+import org.jvnet.hudson.test.BuildWatcher;
 import org.jvnet.hudson.test.JenkinsRule;
 
 import java.io.File;
@@ -49,6 +51,10 @@
 
 @RunWith(Parameterized.class)
 public class GitUsernamePasswordBindingTest {
+
+    @ClassRule
+    public static BuildWatcher bw = new BuildWatcher();
+
     @Parameterized.Parameters(name = "User {0}: Password {1}: GitToolInstance {2}")
     public static Collection<Object[]> data() {
         return Arrays.asList(testData);
@@ -137,7 +143,7 @@ private String batchCheck(boolean includeCliCheck) {
     }
 
     private String shellCheck() {
-        return "env | grep -E \"GIT_USERNAME|GIT_PASSWORD|GIT_TERMINAL_PROMPT\" > auth.txt";
+        return "env | grep -E \"GIT_USERNAME|GIT_PASSWORD|GIT_TERMINAL_PROMPT\" > auth.txt;";
     }
 
     @Test
@@ -146,6 +152,7 @@ public void test_EnvironmentVariables_FreeStyleProject() throws Exception {
         prj.getBuildWrappersList().add(new SecretBuildWrapper(Collections.<MultiBinding<?>>
                 singletonList(new GitUsernamePasswordBinding(gitToolInstance.getName(), credentialID))));
         prj.getBuildersList().add(isWindows() ? new BatchFile(batchCheck(isCliGitTool())) : new Shell(shellCheck()));
+        prj.getBuildersList().add(isWindows() ? new BatchFile("echo %GIT_USERNAME%:%GIT_PASSWORD%") : new Shell("echo $GIT_USERNAME; echo $GIT_PASSWORD"));
         r.configRoundtrip((Item) prj);
 
         SecretBuildWrapper wrapper = prj.getBuildWrappersList().get(SecretBuildWrapper.class);
@@ -164,6 +171,7 @@ public void test_EnvironmentVariables_FreeStyleProject() throws Exception {
             r.assertLogNotContains(this.username, b);
         }
         r.assertLogNotContains(this.password, b);
+        r.assertLogContains("****", b);
 
         //Assert Keys
         assertThat(binding.variables(b), hasItem("GIT_USERNAME"));
@@ -198,8 +206,14 @@ public void test_EnvironmentVariables_PipelineJob() throws Exception {
                 + "node {\n"
                 + "  withCredentials([" + keyword + "(credentialsId: '" + credentialID + "'" + gitToolNameArg + ")]) {\n"
                 + "    if (isUnix()) {\n"
+                + "      sh ': \"$GIT_PASSWORD\"'\n" // : will expand its parameters and do nothing with them
+                + "      sh ': \"< $GIT_PASSWORD >\"'\n"
+                + "      sh ': \"$GIT_USERNAME\"'\n"
+                + "      sh ': \"< $GIT_USERNAME >\"'\n"
                 + "      sh '" + shellCheck() + "'\n"
                 + "    } else {\n"
+                + "      bat 'echo %GIT_PASSWORD%'\n"
+                + "      bat 'echo %GIT_USERNAME%'\n"
                 + "      bat '" + batchCheck(isCliGitTool()) + "'\n"
                 + "    }\n"
                 + "  }\n"
@@ -211,6 +225,7 @@ public void test_EnvironmentVariables_PipelineJob() throws Exception {
         if(credentials.isUsernameSecret()) {
             r.assertLogNotContains(this.username, b);
         }
+        r.assertLogContains(": ****", b);
         r.assertLogNotContains(this.password, b);
         //Assert credential values
         String fileContents = r.jenkins.getWorkspaceFor(project).child("auth.txt").readToString().trim();

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-jxmw-3gxf-fprhghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-38663ghsaADVISORY
www.openwall.com/lists/oss-security/2022/08/23/2ghsamailing-listx_refsource_MLISTWEB
github.com/jenkinsci/git-plugin/commit/3241db9cc696711c871d4e78b3c3c0daad0740c3ghsaWEB
www.jenkins.io/security/advisory/2022-08-23/ghsax_refsource_CONFIRMWEB

News mentions

Jenkins Security Advisory 2022-08-23
Jenkins Security Advisories · Aug 23, 2022

cvss	0.260
epss	0.002
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000