User Impersonation Affecting com.axis.jenkins.plugins.eiffel:eiffel-broadcaster package, versions [2.8.0,2.10.3)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-JAVA-COMAXISJENKINSPLUGINSEIFFEL-8660338
published23 Jan 2025
disclosed22 Jan 2025
creditUnknown

Report a new vulnerability Found a mistake?

Introduced: 22 Jan 2025

NewCVE-2025-24400 (opens in a new tab) CWE-290 (opens in a new tab)

How to fix?

Upgrade com.axis.jenkins.plugins.eiffel:eiffel-broadcaster to version 2.10.3 or higher.

Overview

Affected versions of this package are vulnerable to User Impersonation due to the use of a credential ID as the cache key. An attacker can impersonate a legitimate user by creating a credential with the same ID as a legitimate one in a different credentials store.

References

Jenkins Security Advisory

CVSS Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
Low
User Interaction (UI)
None

Confidentiality (VC)
None
Integrity (VI)
Low
Availability (VA)
None

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None