CVE-2014-2064

Published: Oct 17, 2014Modified: May 6, 2026

5.0

Vector

AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability: 10.0 / Impact: 2.9

Source: NVD

Description

The loadUserByUsername function in hudson/security/HudsonPrivateSecurityRealm.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to determine whether a user exists via vectors related to failed login attempts.

Affected (2)

Products: Jenkins: Jenkins

Jenkins

1 product

Jenkins

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Jenkins Jenkins	Up to 1.532.1

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Jenkins Jenkins	Up to 1.550

Related CWEs

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References (6)

http://www.openwall.com/lists/oss-security/2014/02/21/2

Source: security@debian.org

https://github.com/jenkinsci/jenkins/commit/fbf96734470caba9364f04e0b77b0bae7293a1ec

Source: security@debian.org

Patch

https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-02-14

Source: security@debian.org

Vendor Advisory

http://www.openwall.com/lists/oss-security/2014/02/21/2

Source: af854a3a-2127-422b-91ae-364da2661108

https://github.com/jenkinsci/jenkins/commit/fbf96734470caba9364f04e0b77b0bae7293a1ec

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-02-14

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.