CVE-2022-34174 – org.jenkins-ci.main:jenkins-core

Package

Manager: maven
Name: org.jenkins-ci.main:jenkins-core
Vulnerable Version: >=2.334 <2.356 || >=0 <2.332.4

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.02502 pctl0.84777

Details

Observable timing discrepancy allows determining username validity in Jenkins In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form allows distinguishing between login attempts with an invalid username, and login attempts with a valid username and wrong password, when using the Jenkins user database security realm. This allows attackers to determine the validity of attacker-specified usernames. Login attempts with an invalid username now validate a synthetic password to eliminate the timing discrepancy in Jenkins 2.356, LTS 2.332.4.

Metadata

Created: 2022-06-24T00:00:31Z
Modified: 2022-12-05T23:37:15Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-9grj-j43m-mjqr/GHSA-9grj-j43m-mjqr.json
CWE IDs: ["CWE-203", "CWE-208"]
Alternative ID: GHSA-9grj-j43m-mjqr
Finding: F026
Auto approve: 1