GHSA-8v72-qr3h-c6rv
Suggest an improvement- Source
- https://github.com/advisories/GHSA-8v72-qr3h-c6rv
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-8v72-qr3h-c6rv/GHSA-8v72-qr3h-c6rv.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-8v72-qr3h-c6rv
- Aliases
- Published
- 2022-05-24T17:39:13Z
- Modified
- 2024-02-16T08:09:10.092036Z
- Severity
-
- 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- Credentials stored in plain text by Jenkins Bumblebee HP ALM Plugin
- Details
-
Jenkins Bumblebee HP ALM Plugin 4.1.5 and earlier stores credentials unencrypted in its global configuration file
com.agiletestware.bumblebee.BumblebeeGlobalConfig.xmlon the Jenkins controller as part of its configuration.These credentials can be viewed by users with access to the Jenkins controller file system.
Jenkins Bumblebee HP ALM Plugin 4.1.6 stores credentials encrypted once its configuration is saved again.
- Database specific
{ "nvd_published_at": "2021-01-13T16:15:00Z", "cwe_ids": [ "CWE-522" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2022-12-13T18:53:54Z" }- References
Affected packages
Maven / org.jenkins-ci.plugins:bumblebee
Package
- Name
- org.jenkins-ci.plugins:bumblebee
- View open source insights on deps.dev
- Purl
- pkg:maven/org.jenkins-ci.plugins/bumblebee
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed4.1.6