Jenkins · Jenkins Eiffel Broadcaster Plugin · CVE-2025-24400
**Name of the Vulnerable Software and Affected Versions**
Jenkins Eiffel Broadcaster Plugin versions 2.8.0 through 2.10.2
**Description**
The issue allows attackers to create a credential with the same ID as a legitimate one in a different credentials store, enabling them to sign an event published to RabbitMQ with the legitimate credentials. This is possible because the plugin uses the credential ID as the cache key during signing operations.
**Recommendations**
For versions 2.8.0 through 2.10.2, consider updating to version 2.10.3, which removes the cache, thereby resolving the issue.
As a temporary workaround, consider restricting access to the credential store to minimize the risk of exploitation.