CVE-2022-34174

In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form allows distinguishing between login attempts with an invalid username, and login attempts with a valid username and wrong password, when using the Jenkins user database security realm.

Published: Jun 23, 2022
Updated: May 9, 2024
CVE: CVE-2022-34174
GHSA: GHSA-9grj-j43m-mjqr
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:P/I:N/A:N

CWEs:

CWE-203
CWE-208

Affected Software
References

Software	From	Fixed in
jenkins / jenkins	-	2.332.3.x
jenkins / jenkins	-	2.355.x
org.jenkins-ci.main / jenkins-core	2.334	2.356
org.jenkins-ci.main / jenkins-core	-	2.332.4

https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2566

Vulnerability Database

289,599

CVE-2022-34174