CVE-2022-34174

EPSS 1.7%
Veröffentlicht 23.06.2022 17:15:15
Zuletzt bearbeitet 21.11.2024 07:09:00
Quelle jenkinsci-cert@googlegroups.co
Teams Watchlist Login
Unerledigt Login

In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form allows distinguishing between login attempts with an invalid username, and login attempts with a valid username and wrong password, when using the Jenkins user database security realm.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Jenkins ≫ Jenkins SwEditionlts Version <= 2.332.3

Jenkins ≫ Jenkins SwEdition- Version <= 2.355

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.7%	0.817

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:P/I:N/A:N

CWE-203 Observable Discrepancy

The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.

https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2566

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-34174

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-34174

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-34174

EUVD