they can use this password hash to expose the password and take control of the account

Could you provide steps to reproduce this?

I think that I forgot to mention that you need to configure a global password or use job level passwords from this plugin. Doing these options will show the environment variable as injected which cause this security problem.

This still doesn't explain how other users that

have Config access to a difference folder on the same master, ... can use this password hash to expose the password and take control of the account

They can use the CLI to retrieve the config.xml and then paste this hash into the document and then update the job back to jenkins.

Thanks for the explanation, makes sense. passwords should probably be hidden from this output completely, or just have the value (password hidden) or similar.

Not sure what “password hash” means in this context but is this just a duplicate of JENKINS-23447?

jglick: No, this is about variables recognized by Env-Inject as passwords. They're only shown in encrypted form on the Injected Env Vars page, but that can be reused in another job in the same instance the malicious user has config access to: Just run env there and you "decrypted" the password.

Any thoughts on this being fixed? We have to use passwords managed by a separate IT team for our CI process thus this issue is of concern to them.

JENKINS-29867 (https://github.com/jenkinsci/envinject-plugin/pull/57) should partially address this use-case in 1.92+

I think the JENKINS-29867 fix is enough. Please reopen the issue if you expect something else to be delivered