Jenkins-2022-34174

In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form allows distinguishing between login attempts with an invalid username, and login attempts with a valid username and wrong password, when using the Jenkins user database security realm.

Precondition

Need to know an existing username for comparison.

pip3 install requests

POC

#-*- coding:utf-8 -*-
import requests
import sys
from requests import exceptions