CVE-2025-24400: Cache confusion in Jenkins Eiffel Broadcaster Plugin

January 22, 2025 (updated March 20, 2025)

The Jenkins Eiffel Broadcaster Plugin allows events published to RabbitMQ to be signed using certificate credentials. To improve performance, the plugin caches some data from the credential.

Eiffel Broadcaster Plugin 2.8.0 through 2.10.2 (both inclusive) uses the credential ID as the cache key. This allows attackers able to create a credential with the same ID as a legitimate one in a different credentials store, to sign an event published to RabbitMQ with the legitimate certificate credentials.

Eiffel Broadcaster Plugin 2.10.3 removes the cache.

References

github.com/advisories/GHSA-fpw7-8gjc-jwqj
github.com/jenkinsci/eiffel-broadcaster-plugin
nvd.nist.gov/vuln/detail/CVE-2025-24400
www.jenkins.io/security/advisory/2025-01-22/

Code Behaviors & Features

Detect and mitigate CVE-2025-24400 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →