CVE-2022-34174
First published: Wed Jun 22 2022(Updated: )
In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form allows distinguishing between login attempts with an invalid username, and login attempts with a valid username and wrong password, when using the Jenkins user database security realm. This allows attackers to determine the validity of attacker-specified usernames. Login attempts with an invalid username now validate a synthetic password to eliminate the timing discrepancy in Jenkins 2.356, LTS 2.332.4.
Credit: jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/jenkins | <0:2.361.1.1675406172-1.el8 | 0:2.361.1.1675406172-1.el8 |
| redhat/jenkins | <0:2.361.1.1672840472-1.el8 | 0:2.361.1.1672840472-1.el8 |
| redhat/jenkins | <0:2.361.1.1675668150-1.el8 | 0:2.361.1.1675668150-1.el8 |
| <=2.332.3 | ||
| <=2.355 | ||
| Jenkins Jenkins | <=2.332.3 | |
| Jenkins Jenkins | <=2.355 | |
| maven/org.jenkins-ci.main:jenkins-core | <2.332.4 | 2.332.4 |
| maven/org.jenkins-ci.main:jenkins-core | >=2.334<2.356 | 2.356 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2022-34174
- https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2566
- https://github.com/jenkinsci/jenkins/commit/957ef5902f2e40b6358e6d10f12b26f9dbd2f75a
- https://github.com/advisories/GHSA-9grj-j43m-mjqr (Advisory)
- https://www.cve.org/CVERecord?id=CVE-2022-34174 https://nvd.nist.gov/vuln/detail/CVE-2022-34174 https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2566
- https://bugzilla.redhat.com/show_bug.cgi?id=2119653
- https://access.redhat.com/errata/RHSA-2023:0697
- https://access.redhat.com/errata/RHSA-2023:0017
- https://access.redhat.com/errata/RHSA-2023:0777
- https://access.redhat.com/security/cve/cve-2022-34174
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2022-34174?
CVE-2022-34174 is a vulnerability in Jenkins that allows an observable timing discrepancy on the login form, allowing an attacker to distinguish between login attempts with an invalid username and login attempts with a valid username and wrong password.
What is the severity of CVE-2022-34174?
CVE-2022-34174 has a severity rating of 7.5 (High).
How does CVE-2022-34174 impact Jenkins?
CVE-2022-34174 impacts Jenkins versions 2.355 and earlier LTS 2.332.3 and earlier by allowing an attacker to distinguish between login attempts with different types of credentials.
What is the remedy for CVE-2022-34174?
The remedy for CVE-2022-34174 is to update Jenkins to version 2.356 or later, or LTS to version 2.332.4 or later.
Where can I find more information about CVE-2022-34174?
More information about CVE-2022-34174 can be found at the following references: [CVE Details](https://www.cve.org/CVERecord?id=CVE-2022-34174), [NVD](https://nvd.nist.gov/vuln/detail/CVE-2022-34174), [Jenkins Security Advisory](https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2566), [Red Hat Bugzilla](https://bugzilla.redhat.com/show_bug.cgi?id=2119653), [Red Hat Errata](https://access.redhat.com/errata/RHSA-2023:0697).
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/type
- agent/weakness
- collector/github-advisory
- alias/GHSA-9grj-j43m-mjqr
- alias/CVE-2022-34174
- collector/github-advisory-latest
- collector/nvd-api
- collector/nvd-cve
- collector/nvd-index
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- collector/redhat-cve
- package-manager/maven
- vendor/jenkins
- canonical/jenkins jenkins
- version/jenkins jenkins/2.332.3
- version/jenkins jenkins/2.355
- package-manager/redhat