Insecure Connections in Bumblebee HP ALM Plugin for Jenkins
CVE-2019-10444

6.5MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Bumblebee HP Alm Plugin
Vendor: CVE Published:; 16 October 2019

Summary

The Bumblebee HP ALM Plugin for Jenkins, specifically version 4.1.3 and earlier, has a significant security flaw that unconditionally disables SSL/TLS and hostname verification for connections to HP ALM. This vulnerability can expose users to man-in-the-middle (MitM) attacks, as sensitive data may be intercepted by malicious actors. It is critical for users to ensure secure configurations and consider updating to a patched version to protect their systems.

Affected Version(s)

Jenkins Bumblebee HP ALM Plugin 4.1.3 and earlier

References

https://jenkins.io/security/advisory/2019-10-16/#SECURITY...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 16, 2019
Vulnerability Reserved
Mar 29, 2019