Jenkins Eiffel Broadcaster Plugin 2.8.0 through 2.10.2 (both inclusive) uses the credential ID as the cache key during signing operations, allowing attackers able to create a credential with the same ID as a legitimate one in a different credentials store to sign an event published to RabbitMQ with the legitimate credentials.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| com.axis.jenkins.plugins.eiffel:eiffel-broadcaster(Maven) | 2.8.0 | 2.10.3 | N/A |
CVSS Metrics
