Miggo Logo

CVE-2014-3662: Jenkins Exposure of Sensitive Information to an Unauthorized Actor vulnerability

5

CVSS Score

Basic Information

EPSS Score
0.19941%
Published
5/17/2022
Updated
2/8/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
AV:N/AC:L/Au:N/C:P/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.main:jenkins-coremaven>= 1.566, < 1.5831.583
org.jenkins-ci.main:jenkins-coremaven< 1.565.31.565.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability (CVE-2014-3662/SECURITY-110) explicitly involves user enumeration via login response discrepancies. Jenkins' HudsonPrivateSecurityRealm is the primary class handling local user authentication. The doLogin method would be responsible for validating credentials, and pre-patch versions of this function likely leaked username existence through error message differentiation. The security advisory and CVE description align with this authentication flow vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins ***or* *.*** *n* LTS ***or* *.***.* *llows r*mot* *tt**k*rs to *num*r*t* us*r n*m*s vi* v**tors r*l*t** to lo*in *tt*mpts.

Reasoning

T** vuln*r**ility (*V*-****-****/S**URITY-***) *xpli*itly involv*s us*r *num*r*tion vi* lo*in r*spons* *is*r*p*n*i*s. J*nkins' `*u*sonPriv*t*S**urityR**lm` is t** prim*ry *l*ss **n*lin* lo**l us*r *ut**nti**tion. T** `*oLo*in` m*t*o* woul* ** r*spons