Jenkins Eiffel Broadcaster Plugin
Moderate fix1 remedy
Moderate fix1 remedy
- >= 2.8.0, <= 2.10.2
Jenkins Eiffel Broadcaster Plugin Cache Confusion Vulnerability Allowing Credential Misuse
Vulnerability
Patched
A vulnerability exists in the Jenkins Eiffel Broadcaster Plugin versions 2.8.0 to 2.10.2, where the plugin uses the credential ID as the cache key during signing operations. This flaw enables attackers to create a credential with the same ID as a legitimate one in a different credentials store, and use it to sign events published to RabbitMQ, impersonating the legitimate credentials. This vulnerability requires the plugin's signing feature to be enabled, which is not the default.
Impact
Exploitation of this vulnerability allows for unauthorized signing of events with legitimate credentials, potentially leading to misuse of those credentials in the application.
Remediation
Users of the affected Jenkins Eiffel Broadcaster Plugin should update to version 2.10.3, which removes the caching mechanism that led to this vulnerability.
Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM
Vulnerability Rating
Custom Algorithm
spread
5.7impact
0.6exploitability
4.9remediation
7.7relevance
0.0threat
0.0urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.