CVE-2022-34174

HIGH

Jenkins <2.355-<2.332.3 - Info Disclosure

Title source: llm
STIX 2.1

Description

In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form allows distinguishing between login attempts with an invalid username, and login attempts with a valid username and wrong password, when using the Jenkins user database security realm.

References (1)

Core 1
Core References

Scores

CVSS v3 7.5
EPSS 0.0047
EPSS Percentile 64.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-203
Status published
Products (3)
jenkins/jenkins < 2.332.3
jenkins/jenkins < 2.355
org.jenkins-ci.main/jenkins-core 2.334 - 2.356Maven
Published Jun 23, 2022
Tracked Since Feb 18, 2026