CVE-2022-34174: Observable Discrepancy

June 23, 2022 (updated November 3, 2023)

In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form allows distinguishing between login attempts with an invalid username, and login attempts with a valid username and wrong password, when using the Jenkins user database security realm.

References

nvd.nist.gov/vuln/detail/CVE-2022-34174
www.jenkins.io/security/advisory/2022-06-22/

Detect and mitigate CVE-2022-34174 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →