CVE-2022-34174: 
Java vulnerability analysis and mitigation

CVE-2022-34174 is a security vulnerability discovered in Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, disclosed on June 22, 2022. The vulnerability allows attackers to determine the validity of usernames through an observable timing discrepancy on the login form when using the Jenkins user database security realm (Jenkins Advisory).

The vulnerability manifests as a timing discrepancy in the login form that allows distinguishing between login attempts with an invalid username and login attempts with a valid username and wrong password. This vulnerability is rated as Medium severity according to CVSS scoring system. The issue was tracked as SECURITY-2566 internally by the Jenkins security team (Jenkins Advisory).

The vulnerability enables attackers to determine whether specific usernames exist in the system by observing timing differences in login attempt responses. This information disclosure could be used as a stepping stone for further attacks by helping attackers identify valid user accounts (Jenkins Advisory).

The vulnerability was fixed in Jenkins 2.356 and LTS 2.332.4. The fix involves validating a synthetic password for login attempts with invalid usernames to eliminate the timing discrepancy. Users are advised to upgrade to these versions or later to address the vulnerability (Jenkins Advisory).

The vulnerability was discovered and reported by Anders Lundman of WithSecure, demonstrating the active involvement of security researchers in identifying Jenkins security issues (Jenkins Advisory).