Lucene search

GitHub Advisory DatabaseGHSA-9VG9-X38G-9HFX

HistoryMay 17, 2022 - 3:53 a.m.

Jenkins allows attackers to determine whether a user exists

2022-05-1703:53:52

CWE-200

GitHub Advisory Database

github.com

7 High

AI Score

Confidence

Low

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.006 Low

EPSS

Percentile

77.9%

JSON

The loadUserByUsername function in hudson/security/HudsonPrivateSecurityRealm.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to determine whether a user exists via vectors related to failed login attempts.

CPENameOperatorVersion
org.jenkins-ci.main:jenkins-corelt1.532.2
org.jenkins-ci.main:jenkins-corelt1.551

CPE	Name	Operator	Version
	org.jenkins-ci.main:jenkins-core	lt	1.532.2
	org.jenkins-ci.main:jenkins-core	lt	1.551

References

www.openwall.com/lists/oss-security/2014/02/21/2

github.com/advisories/GHSA-9vg9-x38g-9hfx

github.com/jenkinsci/jenkins/commit/fbf96734470caba9364f04e0b77b0bae7293a1ec

nvd.nist.gov/vuln/detail/CVE-2014-2064

wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-02-14

7 High

AI Score

Confidence

Low

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.006 Low

EPSS

Percentile

77.9%

JSON

Related for GHSA-9VG9-X38G-9HFX