CVE-2026-47831 PUBLISHED

Cryptographically Weak Password Generation in bosh-windows-stemcell-builder Allows Remote SSH Brute-Force Attacks

Assigner: vmware
Reserved: 20.05.2026 Published: 09.07.2026 Updated: 09.07.2026

Use of a cryptographically weak random number generator in the GenerateRandomPassword function in bosh-windows-stemcell-builder allows a remote attacker to brute-force the resulting SSH login via TCP/22. Affected versions: bosh-windows-stemcell-builder versions prior to v2019.98.

Metrics

CVSS Vector: CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 7.7

Product Status

Vendor Cloud Foundry Foundation
Product bosh-windows-stemcell-builder
Versions Default: unaffected
  • affected from 0 to 2019.98 (excl.)

References

Problem Types

  • CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) CWE

Impacts

  • Remote SSH brute-force attacks against generated passwords with insufficient entropy.