CVE-2022-34174

Name
CVE-2022-34174
Description
In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form allows distinguishing between login attempts with an invalid username, and login attempts with a valid username and wrong password, when using the Jenkins user database security realm.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
CONFIRM https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2566

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:* jenkins >= None <= 2.332.3
cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:* jenkins >= None <= 2.355

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
jenkins 3.16-community 2.346.2-r0 Francesco Colista <fcolista@alpinelinux.org> fixed