CVE-2018-15795: CredHub Service Broker uses guessable client secret
Severity
High
Vendor
Pivotal Cloud Foundry
Description
Pivotal CredHub Service Broker, versions prior to 1.1.0, uses a guessable form of random number generation in creating service broker's UAA client. A remote malicious user may guess the client secret and obtain or modify credentials for users of the CredHub Service.
Affected VMware Products and Versions
Severity is high unless otherwise noted.
- CredHub Service Broker for PCF versions prior to 1.1.0
Mitigation
Users of affected versions should apply the following mitigation:
- Releases that have fixed this issue include:
- Credhub Service Broker for PCF: 1.1.0
References
History
2018-11-09: Initial vulnerability report published