CVE-2022-34174

描述

In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form allows distinguishing between login attempts with an invalid username, and login attempts with a valid username and wrong password, when using the Jenkins user database security realm.

受影響套件(2)

• Bitnami/jenkinsfrom 0, < 2.355.1
• Maven/org.jenkins-ci.main:jenkins-core>= 2.334, < 2.356

CVSS 分數

參考連結(4)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-34174
• PATCHhttps://github.com/jenkinsci/jenkins
• WEBhttps://github.com/jenkinsci/jenkins/commit/957ef5902f2e40b6358e6d10f12b26f9dbd2f75a
• WEBhttps://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2566