Home

Description

Use of a cryptographically weak random number generator in the GenerateRandomPassword function in bosh-windows-stemcell-builder allows a remote attacker to brute-force the resulting SSH login via TCP/22. Affected versions: bosh-windows-stemcell-builder versions prior to v2019.98.

PUBLISHED Reserved 2026-05-20 | Published 2026-07-09 | Updated 2026-07-09 | Assigner vmware




HIGH: 7.7CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
HIGH: 7.5CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

Product status

Default status
unaffected

Any version before 2019.98
affected

References

www.cloudfoundry.org/...lows-remote-ssh-brute-force-attacks/

cve.org (CVE-2026-47831)

nvd.nist.gov (CVE-2026-47831)

Download JSON