CVE-2022-34174

Aliases:GHSA-9grj-j43m-mjqrBIT-jenkins-2022-34174

Advisory lineage Upstream: 0 Downstream: 3

Downstream

RHSA-2023:0017 RHSA-2023:0697 RHSA-2023:0777

Modified

Published: 22 Jun 2022, 14:40

Last modified:03 Aug 2024, 08:16

Vulnerability Summary

Overall Risk (default)

medium

30/100

CVSS Score

7.5 HIGH

v3.1 (nvd)

EPSS Score

0.55% LOW

1% probability -1.38%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

22 Jun 2022, 14:40

Published

Vulnerability first disclosed

03 Aug 2024, 08:16

Last Modified

Vulnerability information updated

Description

In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form allows distinguishing between login attempts with an invalid username, and login attempts with a valid username and wrong password, when using the Jenkins user database security realm.

CVSS Metrics

v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
v3.1•MEDIUM•Score: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
v2.0•MEDIUM•Score: 5AV:N/AC:L/Au:N/C:P/I:N/A:N

EPSS Trends

Current EPSS score: 0.55%• Percentile: 68%

Techniques & Countermeasures

CWE-203•Observable Discrepancy
The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor.

Affected Systems

jenkins project•jenkins
≥ unspecified, ≤ 2.355 | ≥ unspecified, ≤ LTS 2.332.3
Unknown•Jenkins
≤ 2.332.3 | ≤ 2.355
org.jenkins-ci.main•jenkins-core
≥ 2.334, < 2.356 | < 2.332.4