CVE-2018-15795 HIGH

CVE-2018-15795: CredHub Service Broker uses guessable client secret

Vendor Pivotal Cloud Foundry
Product CredHub Service Broker
Published November 13, 2018
Last update September 16, 2024

CVSS base score

8.1/10
Attack vector Adjacent
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

What the vulnerability does

01Description

Pivotal CredHub Service Broker, versions prior to 1.1.0, uses a guessable form of random number generation in creating service broker's UAA client. A remote malicious user may guess the client secret and obtain or modify credentials for users of the CredHub Service.

Key dates

02Disclosure timeline

November 13, 2018 CVE published
September 16, 2024 Record updated