1. Home
  2. Security Advisories
  3. Maven
  4. MAVEN:GHSA-9GRJ-J43M-MJQR

[MAVEN:GHSA-9GRJ-J43M-MJQR] Observable timing discrepancy allows determining username validity in Jenkins

Severity Moderate
Affected Packages 2
Fixed Packages 2
CVEs 1
Info Packages References Vulnerabilities

In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form allows distinguishing between login attempts with an invalid username, and login attempts with a valid username and wrong password, when using the Jenkins user database security realm. This allows attackers to determine the validity of attacker-specified usernames.

Login attempts with an invalid username now validate a synthetic password to eliminate the timing discrepancy in Jenkins 2.356, LTS 2.332.4.

Package Affected Version
pkg:maven/org.jenkins-ci.main/jenkins-core < 2.332.4
pkg:maven/org.jenkins-ci.main/jenkins-core >= 2.334, < 2.356
Package Fixed Version
pkg:maven/org.jenkins-ci.main/jenkins-core = 2.332.4
pkg:maven/org.jenkins-ci.main/jenkins-core = 2.356
ID
MAVEN:GHSA-9GRJ-J43M-MJQR
Severity
moderate
URL
https://github.com/advisories/GHSA-9grj-j43m-mjqr
Published
2022-06-24T00:00:31
(2 years ago)
Modified
2023-12-27T18:52:05
(8 months ago)
Rights
Maven Security Team
Other Advisories
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:maven/org.jenkins-ci.main/jenkins-core org.jenkins-ci.main jenkins-core < 2.332.4
Fixed pkg:maven/org.jenkins-ci.main/jenkins-core org.jenkins-ci.main jenkins-core = 2.332.4
Affected pkg:maven/org.jenkins-ci.main/jenkins-core org.jenkins-ci.main jenkins-core >= 2.334 < 2.356
Fixed pkg:maven/org.jenkins-ci.main/jenkins-core org.jenkins-ci.main jenkins-core = 2.356
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date