CVE-2022-34174
Observable timing discrepancy allows determining username validity in Jenkins
Description
In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form allows distinguishing between login attempts with an invalid username, and login attempts with a valid username and wrong password, when using the Jenkins user database security realm. This allows attackers to determine the validity of attacker-specified usernames. Login attempts with an invalid username now validate a synthetic password to eliminate the timing discrepancy in Jenkins 2.356, LTS 2.332.4.
How to fix CVE-2022-34174
To remediate CVE-2022-34174, upgrade the affected package to a fixed version below.
- —upgrade to 2.355.1 or later
- —upgrade to 2.356 or later
Is CVE-2022-34174 being exploited?
Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 2.355.1
- >= 2.334, < 2.356
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |