VulnerableCode Package Details - pkg:rpm/redhat/jenkins@2.361.1.1675668150-1?arch=el8

Search for packages

Vulnerability	Summary	Fixed by
VCID-dvyn-8phs-a3a6 Aliases: CVE-2022-2048 GHSA-wgmr-mf83-7x4j	Jetty vulnerable to Invalid HTTP/2 requests that can lead to denial of service ### Description Invalid HTTP/2 requests (for example, invalid URIs) are incorrectly handled by writing a blocking error response directly from the selector thread. If the client manages to exhaust the HTTP/2 flow control window, or TCP congest the connection, the selector thread will be blocked trying to write the error response. If this is repeated for all the selector threads, the server becomes unresponsive, causing the denial of service. ### Impact A malicious client may render the server unresponsive. ### Patches The fix is available in Jetty versions 9.4.47. 10.0.10, 11.0.10. ### Workarounds No workaround available within Jetty itself. One possible workaround is to filter the requests before sending them to Jetty (for example in a proxy) ### For more information If you have any questions or comments about this advisory: * Email us at security@webtide.com.	There are no reported fixed by versions.
VCID-vgg4-g95a-gkey Aliases: CVE-2022-34174 GHSA-9grj-j43m-mjqr	Observable timing discrepancy allows determining username validity in Jenkins In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form allows distinguishing between login attempts with an invalid username, and login attempts with a valid username and wrong password, when using the Jenkins user database security realm. This allows attackers to determine the validity of attacker-specified usernames. Login attempts with an invalid username now validate a synthetic password to eliminate the timing discrepancy in Jenkins 2.356, LTS 2.332.4.	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-dvyn-8phs-a3a6
Aliases:
CVE-2022-2048
GHSA-wgmr-mf83-7x4j

Jetty vulnerable to Invalid HTTP/2 requests that can lead to denial of service ### Description Invalid HTTP/2 requests (for example, invalid URIs) are incorrectly handled by writing a blocking error response directly from the selector thread. If the client manages to exhaust the HTTP/2 flow control window, or TCP congest the connection, the selector thread will be blocked trying to write the error response. If this is repeated for all the selector threads, the server becomes unresponsive, causing the denial of service. ### Impact A malicious client may render the server unresponsive. ### Patches The fix is available in Jetty versions 9.4.47. 10.0.10, 11.0.10. ### Workarounds No workaround available within Jetty itself. One possible workaround is to filter the requests before sending them to Jetty (for example in a proxy) ### For more information If you have any questions or comments about this advisory: * Email us at security@webtide.com.

There are no reported fixed by versions.

VCID-vgg4-g95a-gkey
Aliases:
CVE-2022-34174
GHSA-9grj-j43m-mjqr

Observable timing discrepancy allows determining username validity in Jenkins In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form allows distinguishing between login attempts with an invalid username, and login attempts with a valid username and wrong password, when using the Jenkins user database security realm. This allows attackers to determine the validity of attacker-specified usernames. Login attempts with an invalid username now validate a synthetic password to eliminate the timing discrepancy in Jenkins 2.356, LTS 2.332.4.

There are no reported fixed by versions.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T13:58:08.527509+00:00	RedHat Importer	Affected by	VCID-vgg4-g95a-gkey	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-34174.json	38.0.0
2026-04-01T13:58:01.713964+00:00	RedHat Importer	Affected by	VCID-dvyn-8phs-a3a6	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-2048.json	38.0.0

2026-04-01T13:58:08.527509+00:00

RedHat Importer

Affected by

VCID-vgg4-g95a-gkey

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-34174.json

38.0.0

2026-04-01T13:58:01.713964+00:00

RedHat Importer

Affected by

VCID-dvyn-8phs-a3a6

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-2048.json

38.0.0

Next non-vulnerable version	None.
Latest non-vulnerable version	None.
Risk	4.0