CredHub Service Broker uses guessable client secret
CVE-2018-15795

8.1HIGH

Key Information:

Vendor: Pivotal Cloud Foundry
Status: Credhub Service Broker
Vendor: CVE Published:; 13 November 2018

🔔 Create Pivotal Cloud Foundry Vulnerability Alert

What is CVE-2018-15795?

Pivotal CredHub Service Broker, versions prior to 1.1.0, uses a guessable form of random number generation in creating service broker's UAA client. A remote malicious user may guess the client secret and obtain or modify credentials for users of the CredHub Service.

Affected Version(s)

CredHub Service Broker all versions < 1.1.0

References

https://pivotal.io/security/cve-2018-15795

x_refsource_CONFIRM

http://www.securityfocus.com/bid/105915

vdb-entryx_refsource_BID

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

CVSS V3.0

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 13, 2018
Vulnerability Reserved
Aug 23, 2018

CVE-2018-15795 Data

JSON