Anders Lundman

**Name of the Vulnerable Software and Affected Versions** Jenkins versions 2.355 and earlier, LTS versions 2.332.3 and earlier **Description** The issue is related to an observable timing discrepancy on the login form, which allows distinguishing between login attempts with an invalid username and login attempts with a valid username and wrong password when using the Jenkins user database security realm. This discrepancy enables attackers to determine the validity of attacker-specified usernames. **Recommendations** For Jenkins versions 2.355 and earlier, update to version 2.356 or later to eliminate the timing discrepancy. For Jenkins LTS versions 2.332.3 and earlier, update to version 2.332.4 or later to eliminate the timing discrepancy.