Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS05Z3JqLWo0M20tbWpxcs4AAs7n
Observable timing discrepancy allows determining username validity in Jenkins
In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form allows distinguishing between login attempts with an invalid username, and login attempts with a valid username and wrong password, when using the Jenkins user database security realm. This allows attackers to determine the validity of attacker-specified usernames.
Login attempts with an invalid username now validate a synthetic password to eliminate the timing discrepancy in Jenkins 2.356, LTS 2.332.4.
Permalink: https://github.com/advisories/GHSA-9grj-j43m-mjqrJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05Z3JqLWo0M20tbWpxcs4AAs7n
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: 4 months ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Identifiers: GHSA-9grj-j43m-mjqr, CVE-2022-34174
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-34174
- https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2566
- https://github.com/jenkinsci/jenkins/commit/957ef5902f2e40b6358e6d10f12b26f9dbd2f75a
- https://github.com/advisories/GHSA-9grj-j43m-mjqr
Blast Radius: 1.0
Affected Packages
maven:org.jenkins-ci.main:jenkins-core
Affected Version Ranges: < 2.332.4, >= 2.334, < 2.356Fixed in: 2.332.4, 2.356