- Description
- HTTP::Session2 versions before 1.12 for Perl for Perl may generate weak session ids using the rand() function. The HTTP::Session2 session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand() function is unsuitable for cryptographic usage. HTTP::Session2 after version 1.02 will attempt to use the /dev/urandom device to generate a session id, but if the device is unavailable (for example, under Windows), then it will revert to the insecure method described above.
- Source
- 9b29abf9-4ab0-4765-b253-1875cd9b441e
- NVD status
- Analyzed
- Products
- http\
CVSS 3.1
- Type
- Primary
- Base score
- 6.5
- Impact score
- 2.5
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
- Severity
- MEDIUM
- 9b29abf9-4ab0-4765-b253-1875cd9b441e
- CWE-338
- Hype score
- Not currently trending
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:tokuhirom:http\\:\\:session2:*:*:*:*:*:perl:*:*",
"matchCriteriaId": "D09565CB-6117-4D7D-BDFB-60715A2A058E",
"versionEndExcluding": "1.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]