Miggo Logo
Miggo Vulnerability Database
CVE-2019-10444

CVE-2019-10444:
Jenkins Bumblebee HP ALM Plugin unconditionally disabled SSL/TLS certificate validation

4.8

CVSS Score
3.0

Basic Information

CVE ID
CVE-2019-10444
GHSA ID
GHSA-qgp8-h5cp-r75r
EPSS Score
0.09022%
CWE
CWE-295
Published
5/24/2022
Updated
10/26/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:bumblebeemaven<= 4.1.34.1.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability centers on disabled SSL/TLS validation. Analysis focused on three key components:

  1. Hostname verification bypass - NullHostnameVerifier.verify() would skip hostname validation
  2. Certificate trust mechanism - TrustAllStrategy.isTrusted() would accept any certificate
  3. Client construction - HpAlmClient.createHttpClient() would assemble these insecure components These functions directly implement the unconditional trust described in the advisory. The high confidence comes from the vulnerability's nature requiring these specific SSL bypass mechanisms, while medium confidence on HpAlmClient.createHttpClient() assumes typical HTTP client construction patterns.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins *um*l**** *P *LM Plu*in un*on*ition*lly *is**l** SSL/TLS **rti*i**t* v*li**tion *or *onn**tions to t** *P *LM s*rvi**. *um*l**** *P *LM Plu*in no lon**r *o*s t**t. Inst***, it now *llows us*rs to opt out o* **rti*i**t* v*li**tion.

Reasoning

T** vuln*r**ility **nt*rs on *is**l** SSL/TLS v*li**tion. *n*lysis *o*us** on t*r** k*y *ompon*nts: *. *ostn*m* v*ri*i**tion *yp*ss - Null*ostn*m*V*ri*i*r.v*ri*y() woul* skip *ostn*m* v*li**tion *. **rti*i**t* trust m****nism - Trust*llStr*t**y.isTru