CVE-2026-8503

EPSS 0.24%
Veröffentlicht 15.05.2026 11:06:29
Zuletzt bearbeitet 18.05.2026 18:23:03
Quelle 9b29abf9-4ab0-4765-b253-1875cd
CVE-Watchlists
Login
Unerledigt
Login

Apache::Session::Generate::SHA256 versions before 1.3.19 for Perl create insecure session ids

Apache::Session::Generate::SHA256 versions before 1.3.19 for Perl create insecure session ids.

Apache::Session::Generate::SHA256 generated session ids insecurely. The default session id generator returns a SHA-256 hash of the built-in rand() function, the epoch time, and the PID, that is hashed again. These are predictable, low-entropy sources. Predicable session ids could allow an attacker to gain access to systems.

Note that version 1.3.19 has a fallback without warning to use insecure session generation method if the call to Crypt::URandom::urandom fails. However, this is unlikely as Crypt::URandom is a hardcoded requirement of the module.

This issue is similar to CVE-2025-40931 for Apache::Session::Generate::MD5.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 2 Referenzen 8

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Guimard ≫ Apache::session::generate::sha256 SwPlatformperl Version < 1.3.19

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.24%	0.153

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	6.5	3.9	2.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.

CWE-340 Generation of Predictable Numbers or Identifiers

The product uses a scheme that generates numbers or identifiers that are more predictable than required.

https://metacpan.org/release/GUIMARD/Apache-Session-Browseable-1.3.19/changes

Release Notes

https://metacpan.org/release/GUIMARD/Apache-Session-Browseable-1.3.19/diff/GUIMARD/Apache-Session-Browseable-1.3.18#lib/Apache/Session/Generate/SHA256.pm

Product

https://github.com/LemonLDAPNG/Apache-Session-Browseable/commit/cc915cbbd266776eec3dd8bf4748b15fa827dbd0.patch

Patch

https://www.cve.org/CVERecord?id=CVE-2025-40931

Third Party Advisory

https://www.cve.org/CVERecord?id=CVE-2025-40932

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-8503

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-8503

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-8503

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-8503