Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS05Z3JqLWo0M20tbWpxcs4AAs7n

Moderate EPSS: 0.01704% (0.81501 Percentile) EPSS:
Permalink JSON

Observable timing discrepancy allows determining username validity in Jenkins

Affected Packages Affected Versions Fixed Versions
maven:org.jenkins-ci.main:jenkins-core < 2.332.4, >= 2.334, < 2.356 2.332.4, 2.356

In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form allows distinguishing between login attempts with an invalid username, and login attempts with a valid username and wrong password, when using the Jenkins user database security realm. This allows attackers to determine the validity of attacker-specified usernames.

Login attempts with an invalid username now validate a synthetic password to eliminate the timing discrepancy in Jenkins 2.356, LTS 2.332.4.

References:

Identifiers

GHSA-9grj-j43m-mjqr

CVE-2022-34174

Risk

Severity

Moderate

EPSS

EPSS Percentage: 0.01704

EPSS Percentile: 0.81501

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/jenkinsci/jenkins

Date and time

Published

about 3 years ago

Updated

over 1 year ago

API

JSON