GHSA-fpw7-8gjc-jwqj

Source

https://github.com/advisories/GHSA-fpw7-8gjc-jwqj

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-fpw7-8gjc-jwqj/GHSA-fpw7-8gjc-jwqj.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-fpw7-8gjc-jwqj

Aliases

CVE-2025-24400

Published

2025-01-22T18:31:55Z

Modified

2025-03-20T19:50:20.374761Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

Cache confusion in Jenkins Eiffel Broadcaster Plugin

Details

The Jenkins Eiffel Broadcaster Plugin allows events published to RabbitMQ to be signed using certificate credentials. To improve performance, the plugin caches some data from the credential.

Eiffel Broadcaster Plugin 2.8.0 through 2.10.2 (both inclusive) uses the credential ID as the cache key. This allows attackers able to create a credential with the same ID as a legitimate one in a different credentials store, to sign an event published to RabbitMQ with the legitimate certificate credentials.

Eiffel Broadcaster Plugin 2.10.3 removes the cache.

Database specific

{
    "nvd_published_at": "2025-01-22T17:15:13Z",
    "cwe_ids": [
        "CWE-276",
        "CWE-863"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2025-01-22T19:26:49Z"
}

References

Affected packages

Maven / com.axis.jenkins.plugins.eiffel:eiffel-broadcaster

Package

Name: com.axis.jenkins.plugins.eiffel:eiffel-broadcaster; View open source insights on deps.dev
Purl: pkg:maven/com.axis.jenkins.plugins.eiffel/eiffel-broadcaster

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.8.0

Fixed

2.10.3

Affected versions

2.*

2.8.0

2.8.1

2.9.0

2.10.0

2.10.1

2.10.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-fpw7-8gjc-jwqj/GHSA-fpw7-8gjc-jwqj.json"