CVE-2022-34174

MEDIUM5.3EPSS 0.55%

Observable timing discrepancy allows determining username validity in Jenkins

Published: 6/24/2022Modified: 4/3/2025

Description

In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form allows distinguishing between login attempts with an invalid username, and login attempts with a valid username and wrong password, when using the Jenkins user database security realm.

Affected packages (2)

Bitnami/jenkinsfrom 0, < 2.355.1
Maven/org.jenkins-ci.main:jenkins-core>= 2.334, < 2.356

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-34174
PATCHhttps://github.com/jenkinsci/jenkins
WEBhttps://github.com/jenkinsci/jenkins/commit/957ef5902f2e40b6358e6d10f12b26f9dbd2f75a
WEBhttps://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2566