Description

The loadUserByUsername function in hudson/security/HudsonPrivateSecurityRealm.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to determine whether a user exists via vectors related to failed login attempts.

Remediation

References

CVE-2014-2064

Related Vulnerabilities

Oracle Database Server CVE-2007-5509 Vulnerability (CVE-2007-5509)

Jenkins Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Vulnerability (CVE-2018-1000406)

Squid Improper Input Validation Vulnerability (CVE-2020-24606)

WordPress Plugin Print, PDF, Email by PrintFriendly Multiple Unspecified Vulnerabilities (3.5.2)

WordPress Plugin Simple:Press Security Bypass and Arbitrary File Upload Vulnerabilities (4.1.2)

Severity

Medium

Classification

CVE-2014-2064 CWE-200

Tags

Missing Update Known Vulnerabilities