CVE-2022-34174

EPSS 1.7%
Published 23.06.2022 17:15:15
Last modified 21.11.2024 07:09:00
Source jenkinsci-cert@googlegroups.co
Teams watchlist Login
Open Login

In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form allows distinguishing between login attempts with an invalid username, and login attempts with a valid username and wrong password, when using the Jenkins user database security realm.

Affected products Warnungen 0 Metrics 3 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

Jenkins ≫ Jenkins SwEditionlts Version <= 2.332.3

Jenkins ≫ Jenkins SwEdition- Version <= 2.355

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	1.7%	0.817

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:P/I:N/A:N

CWE-203 Observable Discrepancy

The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.

https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2566

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-34174

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-34174

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-34174

EUVD