Moderate severityNVD Advisory· Published Oct 17, 2014· Updated May 6, 2026

CVE-2014-2064

Description

The loadUserByUsername function in hudson/security/HudsonPrivateSecurityRealm.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to determine whether a user exists via vectors related to failed login attempts.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.jenkins-ci.main:jenkins-coreMaven	>= 1.533, < 1.551	1.551
org.jenkins-ci.main:jenkins-coreMaven	< 1.532.2	1.532.2

Affected products

Jenkins Project/Jenkins2 versions
cpe:2.3:a:jenkins:jenkins:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:jenkins:jenkins:*:*:*:*:*:*:*:*range: <=1.550
- cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*range: <=1.532.1

Patches

fbf96734470c

[FIXED SECURITY-79] Prevent (private security realm) usernames from being guessed.

https://github.com/jenkinsci/jenkinsJesse GlickFeb 7, 2014via ghsa

commit

1 file changed · +11 −2

core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java+11 −2 modified

@@ -78,6 +78,8 @@
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
+import java.util.MissingResourceException;
+import java.util.ResourceBundle;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 
@@ -173,8 +175,15 @@ public Details loadUserByUsername(String username) throws UsernameNotFoundExcept
     @Override
     protected Details authenticate(String username, String password) throws AuthenticationException {
         Details u = loadUserByUsername(username);
-        if (!u.isPasswordCorrect(password))
-            throw new BadCredentialsException("Failed to login as "+username);
+        if (!u.isPasswordCorrect(password)) {
+            String message;
+            try {
+                message = ResourceBundle.getBundle("org.acegisecurity.messages").getString("AbstractUserDetailsAuthenticationProvider.badCredentials");
+            } catch (MissingResourceException x) {
+                message = "Bad credentials";
+            }
+            throw new BadCredentialsException(message);
+        }
         return u;
     }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/jenkinsci/jenkins/commit/fbf96734470caba9364f04e0b77b0bae7293a1ecnvdPatchWEB
github.com/advisories/GHSA-9vg9-x38g-9hfxghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2014-2064ghsaADVISORY
wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-02-14nvdVendor AdvisoryWEB
www.openwall.com/lists/oss-security/2014/02/21/2nvdWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000