Lookup for vulnerable packages by Package URL.
| Purl | pkg:maven/org.jenkins-ci.main/jenkins-core@2.334 |
|---|
| Type | maven |
|---|
| Namespace | org.jenkins-ci.main |
|---|
| Name | jenkins-core |
|---|
| Version | 2.334 |
|---|
| Qualifiers |
|
|---|
| Subpath | |
|---|
| Is_vulnerable | true |
|---|
| Next_non_vulnerable_version | 2.346.1 |
|---|
| Latest_non_vulnerable_version | 2.555 |
|---|
| Affected_by_vulnerabilities |
| 0 |
| url |
VCID-vgg4-g95a-gkey |
| vulnerability_id |
VCID-vgg4-g95a-gkey |
| summary |
Observable timing discrepancy allows determining username validity in Jenkins
In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form allows distinguishing between login attempts with an invalid username, and login attempts with a valid username and wrong password, when using the Jenkins user database security realm. This allows attackers to determine the validity of attacker-specified usernames.
Login attempts with an invalid username now validate a synthetic password to eliminate the timing discrepancy in Jenkins 2.356, LTS 2.332.4. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2022-34174 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00863 |
| scoring_system |
epss |
| scoring_elements |
0.75152 |
| published_at |
2026-04-24T12:55:00Z |
|
| 1 |
| value |
0.00863 |
| scoring_system |
epss |
| scoring_elements |
0.75113 |
| published_at |
2026-04-21T12:55:00Z |
|
| 2 |
| value |
0.00863 |
| scoring_system |
epss |
| scoring_elements |
0.75123 |
| published_at |
2026-04-18T12:55:00Z |
|
| 3 |
| value |
0.00863 |
| scoring_system |
epss |
| scoring_elements |
0.75116 |
| published_at |
2026-04-16T12:55:00Z |
|
| 4 |
| value |
0.00863 |
| scoring_system |
epss |
| scoring_elements |
0.75078 |
| published_at |
2026-04-13T12:55:00Z |
|
| 5 |
| value |
0.01169 |
| scoring_system |
epss |
| scoring_elements |
0.78641 |
| published_at |
2026-04-04T12:55:00Z |
|
| 6 |
| value |
0.01169 |
| scoring_system |
epss |
| scoring_elements |
0.7861 |
| published_at |
2026-04-02T12:55:00Z |
|
| 7 |
| value |
0.01169 |
| scoring_system |
epss |
| scoring_elements |
0.78622 |
| published_at |
2026-04-07T12:55:00Z |
|
| 8 |
| value |
0.01169 |
| scoring_system |
epss |
| scoring_elements |
0.78647 |
| published_at |
2026-04-08T12:55:00Z |
|
| 9 |
| value |
0.01169 |
| scoring_system |
epss |
| scoring_elements |
0.78654 |
| published_at |
2026-04-09T12:55:00Z |
|
| 10 |
| value |
0.01169 |
| scoring_system |
epss |
| scoring_elements |
0.78679 |
| published_at |
2026-04-11T12:55:00Z |
|
| 11 |
| value |
0.01169 |
| scoring_system |
epss |
| scoring_elements |
0.7866 |
| published_at |
2026-04-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2022-34174 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
|
| fixed_packages |
|
| aliases |
CVE-2022-34174, GHSA-9grj-j43m-mjqr
|
| risk_score |
3.4 |
| exploitability |
0.5 |
| weighted_severity |
6.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-vgg4-g95a-gkey |
|
|
|---|
| Fixing_vulnerabilities |
| 0 |
| url |
VCID-wrub-pwdz-qkhz |
| vulnerability_id |
VCID-wrub-pwdz-qkhz |
| summary |
Deserialization of Untrusted Data
Jenkins defines custom XStream converters that have not been updated to apply the protections for the vulnerability CVE-2021-43859 and allow unconstrained resource usage. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2022-0538 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00575 |
| scoring_system |
epss |
| scoring_elements |
0.68827 |
| published_at |
2026-04-24T12:55:00Z |
|
| 1 |
| value |
0.00575 |
| scoring_system |
epss |
| scoring_elements |
0.68698 |
| published_at |
2026-04-07T12:55:00Z |
|
| 2 |
| value |
0.00575 |
| scoring_system |
epss |
| scoring_elements |
0.68749 |
| published_at |
2026-04-08T12:55:00Z |
|
| 3 |
| value |
0.00575 |
| scoring_system |
epss |
| scoring_elements |
0.68769 |
| published_at |
2026-04-09T12:55:00Z |
|
| 4 |
| value |
0.00575 |
| scoring_system |
epss |
| scoring_elements |
0.68791 |
| published_at |
2026-04-11T12:55:00Z |
|
| 5 |
| value |
0.00575 |
| scoring_system |
epss |
| scoring_elements |
0.68777 |
| published_at |
2026-04-12T12:55:00Z |
|
| 6 |
| value |
0.00575 |
| scoring_system |
epss |
| scoring_elements |
0.68748 |
| published_at |
2026-04-13T12:55:00Z |
|
| 7 |
| value |
0.00575 |
| scoring_system |
epss |
| scoring_elements |
0.68789 |
| published_at |
2026-04-16T12:55:00Z |
|
| 8 |
| value |
0.00575 |
| scoring_system |
epss |
| scoring_elements |
0.688 |
| published_at |
2026-04-18T12:55:00Z |
|
| 9 |
| value |
0.00575 |
| scoring_system |
epss |
| scoring_elements |
0.68779 |
| published_at |
2026-04-21T12:55:00Z |
|
| 10 |
| value |
0.00575 |
| scoring_system |
epss |
| scoring_elements |
0.68683 |
| published_at |
2026-04-01T12:55:00Z |
|
| 11 |
| value |
0.00575 |
| scoring_system |
epss |
| scoring_elements |
0.68702 |
| published_at |
2026-04-02T12:55:00Z |
|
| 12 |
| value |
0.00575 |
| scoring_system |
epss |
| scoring_elements |
0.6872 |
| published_at |
2026-04-04T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2022-0538 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
|
| aliases |
CVE-2022-0538, GHSA-34wx-x2w9-vqm3
|
| risk_score |
3.4 |
| exploitability |
0.5 |
| weighted_severity |
6.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-wrub-pwdz-qkhz |
|
|
|---|
| Risk_score | 3.4 |
|---|
| Resource_url | http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@2.334 |
|---|