Credentials Binding Plugin allows specifying passwords and other secrets as environment variables, and will hide them from console output in builds. As a side effect of the fix for SECURITY-698, $ characters in secrets are escaped to $$. This will then be expanded to $ again once the secret is passed to (post) build steps.
Credentials Binding Plugin 1.22 and earlier does not mask the escaped form of the secret (containing $$). This occurs for example in the “Execute Maven top-level targets” build step included in Jenkins.\n\nCredentials Binding Plugin 1.23 now masks secrets both in their original form and with escaped $ characters, so they will be masked even if printed before value expansion.