Severity
High
CVSSv4: High 7.7 (CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N)
CVSSv3: High 7.5 (CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
Vendor
Cloud Foundry Foundation
Versions Affected
*Severity is High unless otherwise noted.
bosh-windows-stemcell-builder
– All versions prior to v2019.98
Description
Use of Cryptographically Weak Random Number Generator in GenerateRandomPassword function in bosh-windows-stemcell-builder allows remote attacker to brute-forceable SSH login via TCP/22.
Mitigation
Users of affected products are strongly encouraged to follow the mitigations below.
The Cloud Foundry Foundation recommends upgrading the following releases:
bosh-windows-stemcell-builder
– Upgrade to v2019.98 or later
Credit
This issue was responsibly reported by VMware Tanzu by Broadcom.
History
Jul 8, 2026: Initial vulnerability report published.
