Description
The loadUserByUsername function in hudson/security/HudsonPrivateSecurityRealm.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to determine whether a user exists via vectors related to failed login attempts.
Remediation
References
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-02-14
http://www.openwall.com/lists/oss-security/2014/02/21/2
https://github.com/jenkinsci/jenkins/commit/fbf96734470caba9364f04e0b77b0bae7293a1ec
Related Vulnerabilities
CVE-2017-5661 Vulnerability in maven package org.apache.xmlgraphics:fop
CVE-2023-34454 Vulnerability in maven package org.xerial.snappy:snappy-java
CVE-2016-0714 Vulnerability in maven package org.apache.tomcat:tomcat-catalina
CVE-2022-42466 Vulnerability in maven package org.apache.isis.viewer:isis-viewer-wicket-ui
CVE-2020-2252 Vulnerability in maven package org.jenkins-ci.plugins:mailer