CVE-2025-24400

MEDIUM

Jenkins Eiffel Broadcaster Plugin 2.8.0-2.10.2 - Incorrect Authorization via Credential ID Cache Key

Title source: llm

Description

Jenkins Eiffel Broadcaster Plugin 2.8.0 through 2.10.2 (both inclusive) uses the credential ID as the cache key during signing operations, allowing attackers able to create a credential with the same ID as a legitimate one in a different credentials store to sign an event published to RabbitMQ with the legitimate credentials.

References (1)

Core 1

Core References

Vendor Advisory vendor-advisory

https://www.jenkins.io/security/advisory/2025-01-22/#SECURITY-3485

Scores

CVSS v3 4.3

EPSS 0.0015

EPSS Percentile 35.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-863

Status published

Products (2)

com.axis.jenkins.plugins.eiffel/eiffel-broadcaster 2.8.0 - 2.10.3Maven

jenkins/eiffel_broadcaster 2.8.0 - 2.10.2

Published Jan 22, 2025

Tracked Since Feb 18, 2026