CVE-2025-53650

Vulnerability

Jenkins Credentials Binding Plugin versions 687.v619cb_15e923f and earlier contain a flaw where credentials are not properly masked (replaced with asterisks) when they appear in exception error messages that get written to the build log [1][3]. This means that if a build step throws an exception containing a credential value (e.g., a password or secret text), that credential will be printed in plaintext in the build log instead of being obscured [2].

Exploitation

No special authentication or network position is required beyond the ability to trigger a build that uses credentials bound via the Credentials Binding Plugin and that encounters an error condition [1]. Any user with access to view build logs (e.g., developers, administrators, or users with Job/Read permission) can see the exposed credentials [2]. The vulnerability does not require any special attack vector other than normal operation of the plugin.

Impact

An attacker who can view build logs can obtain plaintext credentials (secrets, passwords, SSH keys, etc.) that were intended to be masked. This could lead to unauthorized access to systems or services protected by those credentials [1][2]. The severity has been assessed as Medium (CVSS) [1].

Mitigation

The fix is implemented in Credentials Binding Plugin version 696.v256688029804, which rethrows exceptions that contain credentials and ensures those credentials are masked in error messages [1][2]. Users should update to this version or later. No workaround is described for affected versions [1].