GHSA-9grj-j43m-mjqr

Source

https://github.com/advisories/GHSA-9grj-j43m-mjqr

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-9grj-j43m-mjqr/GHSA-9grj-j43m-mjqr.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-9grj-j43m-mjqr

Aliases

Published

2022-06-24T00:00:31Z

Modified

2024-02-16T08:21:04.044623Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Observable timing discrepancy allows determining username validity in Jenkins

Details

In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form allows distinguishing between login attempts with an invalid username, and login attempts with a valid username and wrong password, when using the Jenkins user database security realm. This allows attackers to determine the validity of attacker-specified usernames.

Login attempts with an invalid username now validate a synthetic password to eliminate the timing discrepancy in Jenkins 2.356, LTS 2.332.4.

Database specific

{
    "nvd_published_at": "2022-06-23T17:15:00Z",
    "cwe_ids": [
        "CWE-203",
        "CWE-208"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-05T23:37:15Z"
}

References

Affected packages

Maven / org.jenkins-ci.main:jenkins-core

Package

Name: org.jenkins-ci.main:jenkins-core; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.main/jenkins-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.334

Fixed

2.356

Affected versions

2.*

2.334

2.335

2.336

2.337

2.338

2.339

2.340

2.341

2.342

2.343

2.344

2.345

2.346

2.346.1

2.346.2

2.346.3

2.347

2.348

2.349

2.350

2.354

2.355

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-9grj-j43m-mjqr/GHSA-9grj-j43m-mjqr.json"

Maven / org.jenkins-ci.main:jenkins-core

Package

Name: org.jenkins-ci.main:jenkins-core; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.main/jenkins-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.332.4

Affected versions

1.*

1.396

1.397

1.398

1.399

1.400

1.401

1.403

1.404

1.405

1.406

1.407

1.408

1.409

1.409.1

1.409.2

1.409.3

1.410

1.411

1.412

1.413

1.414

1.415

1.416

1.417

1.418

1.419

1.420

1.421

1.422

1.423

1.424

1.424.1

1.424.2

1.424.3

1.424.4

1.424.5

1.424.6

1.425

1.426

1.427

1.428

1.429

1.430

1.431

1.432

1.433

1.434

1.435

1.436

1.437

1.438

1.439

1.440

1.441

1.442

1.443

1.444

1.445

1.446

1.447

1.447.1

1.447.2

1.448

1.449

1.450

1.451

1.452

1.453

1.454

1.455

1.456

1.457

1.458

1.459

1.460

1.461

1.462

1.463

1.464

1.465

1.466

1.466.1

1.466.2

1.467

1.468

1.469

1.470

1.471

1.472

1.473

1.474

1.475

1.476

1.477

1.478

1.479

1.480

1.480.1

1.480.2

1.480.3

1.481

1.482

1.483

1.484

1.485

1.486

1.487

1.488

1.489

1.490

1.491

1.492

1.493

1.494

1.495

1.496

1.497

1.498

1.499

1.500

1.501

1.502

1.503

1.504

1.505

1.506

1.507

1.508

1.509

1.509.1

1.509.2

1.509.2.JENKINS-8856-diag

1.509.2.JENKINS-14362-jzlib

1.509.3

1.509.3.JENKINS-14362-jzlib

1.509.4

1.510

1.511

1.512

1.513

1.514

1.515

1.516

1.516.JENKINS-14362-jzlib

1.517

1.518

1.518.JENKINS-14362-jzlib

1.519

1.520

1.521

1.522

1.523

1.524

1.525

1.526

1.527

1.528

1.529

1.530

1.531

1.532

1.532.1

1.532.1.JENKINS-19453

1.532.2

1.532.2.JENKINS-21622-diag

1.532.2.JENKINS-22395-diag

1.532.3

1.532.3.JENKINS-22395

1.532.3.JENKINS-22395-2

1.533

1.534

1.535

1.536

1.537

1.538

1.539

1.540

1.541

1.542

1.543

1.544

1.545

1.546

1.547

1.548

1.549

1.550

1.551

1.552

1.553

1.554

1.554.1

1.554.2

1.554.3

1.554.3.JENKINS-18065-ALLRM-all

1.554.3.JENKINS-18065-JENKINS-23945

1.555

1.556

1.557

1.558

1.559

1.560

1.561

1.562

1.563

1.564

1.565

1.565.1

1.565.1.JENKINS-22395-dropLinks

1.565.2

1.565.3

1.566

1.567

1.568

1.569

1.570

1.571

1.572

1.573

1.574

1.575

1.576

1.577

1.578

1.579

1.580

1.580.1

1.580.2

1.580.3

1.581

1.582

1.583

1.584

1.585

1.586

1.587

1.588

1.589

1.590

1.591

1.592

1.593

1.594

1.595

1.596

1.596.1

1.596.2

1.596.3

1.597

1.598

1.599

1.600

1.601

1.602

1.604

1.605

1.606

1.607

1.608

1.609

1.609.1

1.609.2

1.609.3

1.610

1.611

1.612

1.613

1.614

1.615

1.616

1.617

1.618

1.619

1.620

1.621

1.622

1.623

1.624

1.625

1.625.1

1.625.2

1.625.3

1.626

1.627

1.628

1.629

1.630

1.631

1.632

1.633

1.634

1.635

1.636

1.637

1.638

1.639

1.640

1.641

1.642

1.642.1

1.642.2

1.642.3

1.642.4

1.643

1.644

1.645

1.646

1.647

1.648

1.649

1.650

1.651

1.651.1

1.651.2

1.651.3

1.652

1.653

1.654

1.655

1.656

1.657

1.658

2.*

2.0-alpha-1

2.0-alpha-2

2.0-alpha-3

2.0-alpha-4

2.0-beta-1

2.0-beta-2

2.0-rc-1

2.0

2.1

2.2

2.3

2.4

2.5

2.6

2.7

2.7.1

2.7.2

2.7.3

2.7.4

2.8

2.9

2.10

2.11

2.12

2.13

2.14

2.15

2.16

2.17

2.18

2.19

2.19.1

2.19.2

2.19.3

2.19.4

2.20

2.21

2.22

2.23

2.24

2.25

2.26

2.27

2.28

2.29

2.30

2.31

2.32

2.32.1

2.32.2

2.32.3

2.33

2.34

2.35

2.36

2.37

2.38

2.39

2.40

2.41

2.42

2.43

2.44

2.45

2.46

2.46.1

2.46.2

2.46.3

2.47

2.48

2.49

2.50

2.51

2.52

2.53

2.54

2.55

2.56

2.57

2.58

2.59

2.60

2.60.1

2.60.2

2.60.3

2.61

2.62

2.63

2.64

2.65

2.66

2.67

2.68

2.69

2.70

2.71

2.72

2.73

2.73.1

2.73.2

2.73.3

2.74

2.75

2.76

2.77

2.78

2.79

2.80

2.81

2.82

2.83

2.84

2.85

2.86

2.87

2.88

2.89

2.89.1

2.89.2

2.89.3

2.89.4

2.90

2.91

2.92

2.93

2.94

2.95

2.96

2.97

2.98

2.99

2.100

2.101

2.102

2.103

2.104

2.105

2.106

2.107

2.107.1

2.107.2

2.107.3

2.108

2.109

2.110

2.111

2.112

2.113

2.114

2.115

2.116

2.117

2.118

2.119

2.120

2.121

2.121.1

2.121.2

2.121.3

2.122

2.123

2.124

2.125

2.126

2.127

2.128

2.129

2.130

2.131

2.132

2.133

2.134

2.135

2.136

2.137

2.138

2.138.1

2.138.2

2.138.3

2.138.4

2.140

2.141

2.142

2.143

2.144

2.145

2.146

2.147

2.148

2.149

2.150

2.150.1

2.150.2

2.150.3

2.151

2.152

2.153

2.154

2.155

2.156

2.157

2.158

2.159

2.160

2.161

2.162

2.163

2.164

2.164.1

2.164.2

2.164.3

2.165

2.166

2.167

2.168

2.169

2.170

2.171

2.172

2.173

2.174

2.175

2.176

2.176.1

2.176.2

2.176.3

2.176.4

2.177

2.178

2.179

2.180

2.181

2.182

2.183

2.184

2.185

2.186

2.187

2.189

2.190

2.190.1

2.190.2

2.190.3

2.191

2.192

2.193

2.194

2.195

2.196

2.197

2.198

2.199

2.200

2.201

2.202

2.203

2.204

2.204.1

2.204.2

2.204.3

2.204.4

2.204.5

2.204.6

2.205

2.206

2.207

2.208

2.209

2.210

2.211

2.212

2.213

2.214

2.215

2.216

2.217

2.218

2.219

2.220

2.221

2.222

2.222.1

2.222.3

2.222.4

2.223

2.224

2.225

2.226

2.227

2.228

2.229

2.230

2.231

2.232

2.233

2.234

2.235

2.235.1

2.235.2

2.235.3

2.235.4

2.235.5

2.236

2.237

2.238

2.239

2.240

2.241

2.242

2.243

2.244

2.245

2.246

2.247

2.248

2.249

2.249.1

2.249.2

2.249.3

2.250

2.251

2.252

2.253

2.254

2.255

2.256

2.257

2.258

2.259

2.260

2.261

2.262

2.263

2.263.1

2.263.2

2.263.3

2.263.4

2.264

2.265

2.266

2.267

2.268

2.269

2.270

2.271

2.272

2.273

2.274

2.275

2.276

2.277

2.277.1

2.277.2

2.277.3

2.277.4

2.278

2.279

2.280

2.281

2.282

2.283

2.284

2.285

2.286

2.287

2.288

2.289

2.289.1

2.289.2

2.289.3

2.290

2.291

2.292

2.293

2.294

2.295

2.296

2.297

2.298

2.299

2.300

2.301

2.302

2.303

2.303.1

2.303.2

2.303.3

2.304

2.305

2.306

2.307

2.308

2.309

2.311

2.312

2.313

2.314

2.315

2.316

2.317

2.318

2.319

2.319.1

2.319.2

2.319.3

2.320

2.321

2.322

2.323

2.324

2.325

2.326

2.327

2.328

2.329

2.330

2.331

2.332

2.332.1

2.332.2

2.332.3

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-9grj-j43m-mjqr/GHSA-9grj-j43m-mjqr.json"