CVE-2018-15795

HIGH

Pivotal CredHub Service Broker <1.1.0 - Info Disclosure

Title source: llm
STIX 2.1

Description

Pivotal CredHub Service Broker, versions prior to 1.1.0, uses a guessable form of random number generation in creating service broker's UAA client. A remote malicious user may guess the client secret and obtain or modify credentials for users of the CredHub Service.

References (2)

Core 2
Core References
Mitigation, Vendor Advisory x_refsource_confirm
https://pivotal.io/security/cve-2018-15795
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/105915

Scores

CVSS v3 8.1
EPSS 0.0130
EPSS Percentile 66.7%
Attack Vector ADJACENT_NETWORK
CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

Details

CWE
CWE-338
Status published
Products (2)
org.springframework.credhub/spring-credhub-core 0 - 1.1.0Maven
pivotal_software/credhub_service_broker < 1.1.0
Published Nov 13, 2018
Tracked Since Feb 18, 2026