7.5
CVE-2026-5088
- EPSS 0.57%
- Veröffentlicht 15.04.2026 07:03:13
- Zuletzt bearbeitet 06.05.2026 14:18:23
- Quelle 9b29abf9-4ab0-4765-b253-1875cd
- CVE-Watchlists
- Unerledigt
LoginApache::API::Password versions through 0.5.2 for Perl can generate insecure random values for salts
Apache::API::Password versions through 0.5.2 for Perl can generate insecure random values for salts. The _make_salt and _make_salt_bcrypt methods will attept to load Crypt::URandom and then Bytes::Random::Secure to generate random bytes for the salt. If those modules are unavailable, it will simply return 16 bytes generated with Perl's built-in rand function. The rand function is unsuitable for cryptographic use. These salts are used for password hashing.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Jdeguest ≫ Apache::api::password SwPlatformperl Version < 0.5.3
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.57% | 0.427 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.
https://security.metacpan.org/docs/guides/random-data-for-security.html
https://metacpan.org/release/JDEGUEST/Apache2-API-v0.5.3/changes
https://metacpan.org/release/JDEGUEST/Apache2-API-v0.5.2/view/lib/Apache2/API/Password.pod
https://metacpan.org/pod/Crypt::URandom
http://www.openwall.com/lists/oss-security/2026/04/15/4
http://www.openwall.com/lists/oss-security/2026/04/15/5