CVE-2018-15795: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

November 29, 2018 (updated September 16, 2021)

Pivotal CredHub Service Broker, versions prior to 1.1.0, uses a guessable form of random number generation in creating service broker’s UAA client. A remote malicious user may guess the client secret and obtain or modify credentials for users of the CredHub Service.

References

github.com/advisories/GHSA-q3jg-4c82-j4xh
nvd.nist.gov/vuln/detail/CVE-2018-15795
pivotal.io/security/cve-2018-15795

Detect and mitigate CVE-2018-15795 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →