CVE-2025-24400
📋 TL;DR
The Jenkins Eiffel Broadcaster Plugin vulnerability allows attackers who can create credentials with the same ID as legitimate ones in different credential stores to sign events published to RabbitMQ using those legitimate credentials. This affects Jenkins installations using Eiffel Broadcaster Plugin versions 2.8.0 through 2.10.2 where multiple credential stores are configured.
💻 Affected Systems
- Jenkins Eiffel Broadcaster Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could sign malicious events with legitimate credentials, potentially leading to unauthorized event publication, data manipulation in event-driven systems, or triggering downstream actions based on forged events.
Likely Case
Unauthorized signing of events published to RabbitMQ, potentially disrupting event-driven workflows or injecting false events into monitoring/CI systems.
If Mitigated
Limited impact if credential stores are properly segregated and access controls prevent unauthorized credential creation.
🎯 Exploit Status
Exploitation requires authenticated access to create credentials and knowledge of legitimate credential IDs.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.10.3 and later
Vendor Advisory: https://www.jenkins.io/security/advisory/2025-01-22/#SECURITY-3485
Restart Required: Yes
Instructions:
1. Access Jenkins Update Center. 2. Update Eiffel Broadcaster Plugin to version 2.10.3 or later. 3. Restart Jenkins to apply the update.
🔧 Temporary Workarounds
Restrict credential creation permissions
allLimit who can create credentials in Jenkins to prevent attackers from creating matching credential IDs.
Use single credential store
allConfigure Jenkins to use only one credential store to eliminate the cross-store credential ID collision issue.
🧯 If You Can't Patch
- Implement strict access controls on credential creation and management
- Monitor for unauthorized credential creation attempts and unusual event signing activity
🔍 How to Verify
Check if Vulnerable:
Check Jenkins plugin manager for Eiffel Broadcaster Plugin version. If version is between 2.8.0 and 2.10.2 inclusive, the system is vulnerable.Check Version:
Navigate to Jenkins > Manage Jenkins > Plugin Manager > Installed plugins, find Eiffel Broadcaster PluginVerify Fix Applied:
Verify plugin version is 2.10.3 or later in Jenkins plugin manager and confirm Jenkins has been restarted after update.📡 Detection & Monitoring
Log Indicators:
- Unusual credential creation events
- Failed or unexpected event signing attempts
- Credential ID conflicts in logs
Network Indicators:
- Unexpected RabbitMQ event publishing patterns
- Events signed with credentials from unexpected sources
SIEM Query:
source="jenkins.log" AND ("credential creation" OR "Eiffel Broadcaster" OR "credential ID") AND ("error" OR "conflict" OR "unauthorized")