CVE-2022-34174

Published: Jun 23, 2022Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form allows distinguishing between login attempts with an invalid username, and login attempts with a valid username and wrong password, when using the Jenkins user database security realm.

Affected (2)

Products: Jenkins: Jenkins

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Jenkins Jenkins	Up to 2.355
Jenkins Jenkins	Up to 2.332.3

Related CWEs

Observable Discrepancy

The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.

References (2)

https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2566

Source: jenkinsci-cert@googlegroups.com

Vendor Advisory

https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2566

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.