Jenkins pipeline, using jenkinsfile, Credentials Binding Plugin 1.23 and Jenkins War 2.176.2 or 2.222.3. - password is not fully masking the log output password in contradiction to the security notes, when the password contains:
The result that is exposed in the log output, is (we expect it to be fully masked):
Our linux system uses UTF-8, but we added -Dfile.encoding=UTF-8 to the jvm arguments to be sure jenkins was using it. If escaped, the password is concealed in the logs, however we manage a large opensource Jenkins community privately within the corporation and are concerned about any unknown possible security leaks of people unknowingly not escaping their passwords.
SECURITY-1835 / CVE-2020-2182
Credentials Binding Plugin allows specifying passwords and other secrets as environment variables, and will hide them from console output in builds. As a side effect of the fix for SECURITY-698, $ characters in secrets are escaped to $$. This will then be expanded to $ again once the secret is passed to (post) build steps.
Credentials Binding Plugin 1.22 and earlier does not mask the escaped form of the secret (containing $$). This occurs for example in the "Execute Maven top-level targets" build step included in Jenkins.
Credentials Binding Plugin 1.23 now masks secrets both in their original form and with escaped $ characters so they will be masked even if printed before value expansion.