CVE-2018-15795: CredHub Service Broker uses guessable client secret
First published: Tue Nov 13 2018(Updated: )
Pivotal CredHub Service Broker, versions prior to 1.1.0, uses a guessable form of random number generation in creating service broker's UAA client. A remote malicious user may guess the client secret and obtain or modify credentials for users of the CredHub Service.
Credit: security_alert@emc.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Pivotal Software Credhub Service Broker | <1.1.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is CVE-2018-15795?
CVE-2018-15795 is a vulnerability in Pivotal CredHub Service Broker versions prior to 1.1.0.
What is the impact of CVE-2018-15795?
CVE-2018-15795 allows a remote malicious user to guess the client secret and obtain or modify credentials for users of the CredHub Service.
How can the vulnerability be exploited?
The vulnerability can be exploited by guessing the client secret used in the UAA client for the CredHub Service.
What is the severity of CVE-2018-15795?
CVE-2018-15795 has a severity score of 8.1 (high).
How can I fix CVE-2018-15795?
To fix CVE-2018-15795, update Pivotal CredHub Service Broker to version 1.1.0 or higher.
- collector/nvd-index
- agent/references
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/title
- agent/weakness
- agent/severity
- agent/last-modified-date
- agent/tags
- agent/description
- agent/first-publish-date
- agent/event
- vendor/pivotal software
- canonical/pivotal software credhub service broker