PT-2022-22041 · Jenkins · Jenkins

Anders Lundman

Published

2022-06-22

Updated

2024-03-06

CVE-2022-34174

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.355 and earlier, LTS versions 2.332.3 and earlier

Description The issue is related to an observable timing discrepancy on the login form, which allows distinguishing between login attempts with an invalid username and login attempts with a valid username and wrong password when using the Jenkins user database security realm. This discrepancy enables attackers to determine the validity of attacker-specified usernames.

Recommendations For Jenkins versions 2.355 and earlier, update to version 2.356 or later to eliminate the timing discrepancy. For Jenkins LTS versions 2.332.3 and earlier, update to version 2.332.4 or later to eliminate the timing discrepancy.

Fix

Side Channel Attack

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-203CWE-208

Related Identifiers

BIT-JENKINS-2022-34174

CVE-2022-34174

GHSA-9GRJ-J43M-MJQR

RHSA-2023:0017

RHSA-2023:0697

RHSA-2023:0777

Affected Products

Jenkins

PT-2022-22041 · Jenkins · Jenkins

CVE-2022-34174

Weakness Enumeration

Related Identifiers

Affected Products

References · 9