Fluid Attacks Database

Description

Jenkins allows attackers to determine whether a user exists The loadUserByUsername function in hudson/security/HudsonPrivateSecurityRealm.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to determine whether a user exists via vectors related to failed login attempts.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	org.jenkins-ci.main:jenkins-core	>=1.533 <1.551 \|\| >=0 <1.532.2	1.551, 1.532.2

Aliases

1. CVE-2014-20642. NVD-2014-20643. OSV-2014-20644. GCVE-2014-2064

References

1. https://github.com/jenkinsci/jenkins/commit/fbf96734470caba9364f04e0b77b0bae7293a1ec2. https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-02-143. http://www.openwall.com/lists/oss-security/2014/02/21/24. https://github.com/Naramsim/Offensive

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.