Regarding this: https://www.jenkins.io/security/advisory/2020-05-06/#SECURITY-1835

Jenkins pipeline, using jenkinsfile, Credentials Binding Plugin 1.23 and Jenkins War 2.176.2 or 2.222.3. - password is not fully masking the log output password in contradiction to the security notes, when the password contains:  

abc123$$

abc$$123

The result that is exposed in the log output, is (we expect it to be fully masked): 

abc123

abc

Our linux system uses UTF-8, but we added -Dfile.encoding=UTF-8 to the jvm arguments to be sure jenkins was using it.  If escaped, the password is concealed in the logs, however we manage a large opensource Jenkins community privately within the corporation and are concerned about any unknown possible security leaks of people unknowingly not escaping their passwords.  Please clarify:  Is the plugin strictly requiring escaped $$ in the password? Or is the plugin expected to mask all passwords regardless of escaping $$'s?  If the latter, then we are still experiencing a bug. 

SECURITY-1835 / CVE-2020-2182
Credentials Binding Plugin allows specifying passwords and other secrets as environment variables, and will hide them from console output in builds. As a side effect of the fix for SECURITY-698, $ characters in secrets are escaped to $$. This will then be expanded to $ again once the secret is passed to (post) build steps.
Credentials Binding Plugin 1.22 and earlier does not mask the escaped form of the secret (containing $$). This occurs for example in the "Execute Maven top-level targets" build step included in Jenkins.
Credentials Binding Plugin 1.23 now masks secrets both in their original form and with escaped $ characters so they will be masked even if printed before value expansion.