CVE-2021-21614

Name of the Vulnerable Software and Affected Versions Jenkins Bumblebee HP ALM Plugin versions 4.1.5 and earlier

Description The issue concerns the storage of credentials in an unencrypted manner within the global configuration file on the Jenkins controller. Specifically, the credentials are stored in the com.agiletestware.bumblebee.BumblebeeGlobalConfig.xml file. Users with access to the Jenkins controller file system can view these credentials. It is noted that credentials are stored encrypted in version 4.1.6 once the configuration is saved again.

Recommendations For Jenkins Bumblebee HP ALM Plugin versions 4.1.5 and earlier, update to version 4.1.6 or later to ensure credentials are stored encrypted. As a temporary workaround, consider restricting access to the Jenkins controller file system to minimize the risk of credential exposure.