Description
Jenkins Bumblebee HP ALM Plugin 4.1.5 and earlier stores credentials unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.
Remediation
References
https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2156
Related Vulnerabilities
CVE-2019-12400 Vulnerability in maven package org.apache.santuario:xmlsec
CVE-2020-2305 Vulnerability in maven package org.jenkins-ci.plugins:mercurial
CVE-2020-1959 Vulnerability in maven package org.apache.syncope.client:syncope-client-enduser
CVE-2022-23621 Vulnerability in maven package org.xwiki.platform:xwiki-platform-oldcore
CVE-2023-40037 Vulnerability in maven package org.apache.nifi:nifi-dbcp-base