High severityNVD Advisory· Published Nov 13, 2018· Updated Sep 16, 2024

CredHub Service Broker uses guessable client secret

CVE-2018-15795

Description

Pivotal CredHub Service Broker, versions prior to 1.1.0, uses a guessable form of random number generation in creating service broker's UAA client. A remote malicious user may guess the client secret and obtain or modify credentials for users of the CredHub Service.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.springframework.credhub:spring-credhub-coreMaven	< 1.1.0	1.1.0

Affected products

Pivotal Cloud Foundry/Credhub Service Brokerv5
Range: all versions

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-q3jg-4c82-j4xhghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2018-15795ghsaADVISORY
www.securityfocus.com/bid/105915ghsavdb-entryx_refsource_BIDWEB
pivotal.io/security/cve-2018-15795ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000