Moderate severityNVD Advisory· Published Jan 22, 2025· Updated Mar 20, 2025
CVE-2025-24400
CVE-2025-24400
Description
Jenkins Eiffel Broadcaster Plugin 2.8.0 through 2.10.2 (both inclusive) uses the credential ID as the cache key during signing operations, allowing attackers able to create a credential with the same ID as a legitimate one in a different credentials store to sign an event published to RabbitMQ with the legitimate credentials.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.axis.jenkins.plugins.eiffel:eiffel-broadcasterMaven | >= 2.8.0, < 2.10.3 | 2.10.3 |
Affected products
2- Range: 2.8.0
Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-fpw7-8gjc-jwqjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-24400ghsaADVISORY
- www.jenkins.io/security/advisory/2025-01-22/ghsavendor-advisoryWEB
News mentions
1- Jenkins Security Advisory 2025-01-22Jenkins Security Advisories · Jan 22, 2025