CVE-2019-10444

Name of the Vulnerable Software and Affected Versions Jenkins Bumblebee HP ALM Plugin versions 4.1.3 and earlier

Description The issue concerns the Jenkins Bumblebee HP ALM Plugin unconditionally disabling SSL/TLS and hostname verification for connections to HP ALM. This means that the plugin did not validate the identity of the HP ALM server it was connecting to, which could allow for man-in-the-middle attacks. The plugin now allows users to opt out of certificate validation, addressing the previous unconditional disabling of SSL/TLS certificate validation.

Recommendations For Jenkins Bumblebee HP ALM Plugin versions 4.1.3 and earlier, update to a version that allows users to opt out of certificate validation to mitigate the risk of exploitation. As a temporary workaround, consider restricting access to the HP ALM service to minimize the risk of unauthorized connections.