cbcvebase.
CVE-2022-34174
published 2022-06-23

CVE-2022-34174: In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form allows distinguishing between login attempts with an…

PriorityP345high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
1.22%
64.9th percentile
In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form allows distinguishing between login attempts with an invalid username, and login attempts with a valid username and wrong password, when using the Jenkins user database security realm.

Affected

33 ranges· showing 25
VendorProductVersion rangeFixed in
jenkinsagent_server_parameter_plugin
jenkinsbeaker_builder_plugin
jenkinsconvertigo_mobile_platform_plugin
jenkinscrx_content_package_deployer_plugin
jenkinsdate_parameter_plugin
jenkinsdynamic_extended_choice_parameter_plugin
jenkinseasyqa_plugin
jenkinsembeddable_build_status_plugin
jenkinsfilesystem_list_parameter_plugin
jenkinshidden_parameter_plugin
jenkinsimage_tag_parameter_plugin
jenkinsimproper_authorization_in_embeddable_build_status_plugin
jenkinsinput_step_plugin
jenkinsjenkins<= 2.332.3
jenkinsjenkins<= 2.355
jenkinsjenkins_ci_server_plugin
jenkinsjenkins_core
jenkinsjenkins_lts
jenkinsjenkins_weekly
jenkinsjianliao_notification_plugin
jenkinsjunit_plugin
jenkinsmaven_metadata_plugin
jenkinsnested_view_plugin
jenkinsns-nd_integration_performance_publisher_plugin
jenkinsorchestrator_plugin

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.