Common Weakness Enumeration

CWE-338

Allowed

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

Abstraction: Base · Status: Draft

The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.

293 vulnerabilities reference this CWE, most recent first.

CVE-2025-40920 (GCVE-0-2025-40920)

Vulnerability from cvelistv5 – Published: 2025-08-11 20:19 – Updated: 2026-01-17 20:23
VLAI
Title
Catalyst::Authentication::Credential::HTTP versions 1.018 and earlier for Perl use insecurely generated nonces
Summary
Catalyst::Authentication::Credential::HTTP versions 1.018 and earlier for Perl generate nonces using the Perl Data::UUID library. * Data::UUID does not use a strong cryptographic source for generating UUIDs. * Data::UUID returns v3 UUIDs, which are generated from known information and are unsuitable for security, as per RFC 9562. * The nonces should be generated from a strong cryptographic source, as per RFC 7616.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-340 - Generation of Predictable Numbers or Identifiers
  • CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator
Assigner
Impacted products
Vendor Product Version
ETHER Catalyst::Authentication::Credential::HTTP Affected: 0.06 , ≤ 1.018 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "LOW",
              "baseScore": 8.6,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-40920",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-08-11T20:52:17.823708Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-08-11T20:52:44.260Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-04T21:10:19.369Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/08/12/1"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://cpan.org/modules",
          "defaultStatus": "unaffected",
          "packageName": "Catalyst-Authentication-Credential-HTTP",
          "product": "Catalyst::Authentication::Credential::HTTP",
          "repo": "https://github.com/perl-catalyst/Catalyst-Authentication-Credential-HTTP",
          "vendor": "ETHER",
          "versions": [
            {
              "lessThanOrEqual": "1.018",
              "status": "affected",
              "version": "0.06",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cdiv\u003eCatalyst::Authentication::Credential::HTTP versions 1.018 and earlier for Perl generate nonces using the Perl Data::UUID library.\u003cul\u003e\u003cli\u003eData::UUID does not use a strong cryptographic source for generating UUIDs.\u003c/li\u003e\u003cli\u003eData::UUID returns v3 UUIDs, which are generated from known information and are unsuitable for security, as per RFC 9562.\u003c/li\u003e\u003cli\u003eThe nonces should be generated from a strong cryptographic source, as per RFC 7616.\u003c/li\u003e\u003c/ul\u003e\u003c/div\u003e"
            }
          ],
          "value": "Catalyst::Authentication::Credential::HTTP versions 1.018 and earlier for Perl generate nonces using the Perl Data::UUID library.\n  *  Data::UUID does not use a strong cryptographic source for generating UUIDs.\n  *  Data::UUID returns v3 UUIDs, which are generated from known information and are unsuitable for security, as per RFC 9562.\n  *  The nonces should be generated from a strong cryptographic source, as per RFC 7616."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-340",
              "description": "CWE-340 Generation of Predictable Numbers or Identifiers",
              "lang": "en",
              "type": "CWE"
            },
            {
              "cweId": "CWE-338",
              "description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-17T20:23:09.178Z",
        "orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
        "shortName": "CPANSec"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://security.metacpan.org/patches/C/Catalyst-Authentication-Credential-HTTP/1.018/CVE-2025-40920-r1.patch"
        },
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://github.com/perl-catalyst/Catalyst-Authentication-Credential-HTTP/pull/1"
        },
        {
          "url": "https://metacpan.org/release/ETHER/Catalyst-Authentication-Credential-HTTP-1.018/source/lib/Catalyst/Authentication/Credential/HTTP.pm#L391"
        },
        {
          "url": "https://datatracker.ietf.org/doc/html/rfc9562#name-security-considerations"
        },
        {
          "url": "https://datatracker.ietf.org/doc/html/rfc7616#section-5.12"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/perl-catalyst/Catalyst-Authentication-Credential-HTTP/commit/ad2c03aad95406db4ce35dfb670664ebde004c18"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cdiv\u003eUsers are advised to upgrade to Catalyst-Authentication-Credential-HTTP version 1.019 or later.\u003c/div\u003e"
            }
          ],
          "value": "Users are advised to upgrade to Catalyst-Authentication-Credential-HTTP version 1.019 or later."
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Catalyst::Authentication::Credential::HTTP versions 1.018 and earlier for Perl use insecurely generated nonces",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
    "assignerShortName": "CPANSec",
    "cveId": "CVE-2025-40920",
    "datePublished": "2025-08-11T20:19:57.516Z",
    "dateReserved": "2025-04-16T09:05:34.362Z",
    "dateUpdated": "2026-01-17T20:23:09.178Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40919 (GCVE-0-2025-40919)

Vulnerability from cvelistv5 – Published: 2025-07-16 14:04 – Updated: 2025-07-16 20:49
VLAI
Title
Authen::DigestMD5 versions 0.01 through 0.04 for Perl generate the cnonce insecurely
Summary
Authen::DigestMD5 versions 0.01 through 0.02 for Perl generate the cnonce insecurely. The cnonce (client nonce) is generated from an MD5 hash of the PID, the epoch time and the built-in rand function. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. According to RFC 2831, "The cnonce-value is an opaque quoted string value provided by the client and used by both client and server to avoid chosen plaintext attacks, and to provide mutual authentication. The security of the implementation depends on a good choice. It is RECOMMENDED that it contain at least 64 bits of entropy."
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-340 - Generation of Predictable Numbers or Identifiers
  • CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator
Assigner
Impacted products
Vendor Product Version
SALVA Authen::DigestMD5 Affected: 0.01 , ≤ 0.04 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-40919",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-16T20:49:09.619470Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-16T20:49:26.539Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://cpan.org/modules",
          "defaultStatus": "unaffected",
          "packageName": "Authen-DigestMD5",
          "product": "Authen::DigestMD5",
          "programFiles": [
            "DigestMD5.pm"
          ],
          "vendor": "SALVA",
          "versions": [
            {
              "lessThanOrEqual": "0.04",
              "status": "affected",
              "version": "0.01",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cdiv\u003eAuthen::DigestMD5 versions 0.01 through 0.02 for Perl generate the cnonce insecurely.\u003c/div\u003e\u003cdiv\u003eThe cnonce (client nonce) is generated from an MD5 hash of the PID, the epoch time and the built-in rand function. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.\u003c/div\u003e\u003cdiv\u003eAccording to RFC 2831, \u003cq\u003eThe cnonce-value is an opaque quoted string value provided by the client and used by both client and server to avoid chosen plaintext attacks, and to provide mutual authentication. The security of the implementation\n depends on a good choice. It is RECOMMENDED that it contain at least 64 bits of entropy.\u003c/q\u003e\u003c/div\u003e"
            }
          ],
          "value": "Authen::DigestMD5 versions 0.01 through 0.02 for Perl generate the cnonce insecurely.\n\nThe cnonce (client nonce) is generated from an MD5 hash of the PID, the epoch time and the built-in rand function. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.\n\nAccording to RFC 2831, \"The cnonce-value is an opaque quoted string value provided by the client and used by both client and server to avoid chosen plaintext attacks, and to provide mutual authentication. The security of the implementation depends on a good choice. It is RECOMMENDED that it contain at least 64 bits of entropy.\""
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-340",
              "description": "CWE-340 Generation of Predictable Numbers or Identifiers",
              "lang": "en",
              "type": "CWE"
            },
            {
              "cweId": "CWE-338",
              "description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-16T14:04:09.443Z",
        "orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
        "shortName": "CPANSec"
      },
      "references": [
        {
          "url": "https://metacpan.org/release/SALVA/Authen-DigestMD5-0.01/source/DigestMD5.pm#L126"
        },
        {
          "url": "https://datatracker.ietf.org/doc/html/rfc2831"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Authen::DigestMD5 versions 0.01 through 0.04 for Perl generate the cnonce insecurely",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
    "assignerShortName": "CPANSec",
    "cveId": "CVE-2025-40919",
    "datePublished": "2025-07-16T14:04:09.443Z",
    "dateReserved": "2025-04-16T09:05:34.362Z",
    "dateUpdated": "2025-07-16T20:49:26.539Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-40918 (GCVE-0-2025-40918)

Vulnerability from cvelistv5 – Published: 2025-07-16 14:00 – Updated: 2025-11-04 21:10
VLAI
Title
Authen::SASL::Perl::DIGEST_MD5 versions 2.04 through 2.1800 for Perl generates the cnonce insecurely
Summary
Authen::SASL::Perl::DIGEST_MD5 versions 2.04 through 2.1800 for Perl generates the cnonce insecurely. The cnonce (client nonce) is generated from an MD5 hash of the PID, the epoch time and the built-in rand function. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. According to RFC 2831, The cnonce-value is an opaque quoted string value provided by the client and used by both client and server to avoid chosen plaintext attacks, and to provide mutual authentication. The security of the implementation depends on a good choice. It is RECOMMENDED that it contain at least 64 bits of entropy.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-340 - Generation of Predictable Numbers or Identifiers
  • CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator
Assigner
Impacted products
Vendor Product Version
EHUELS Authen::SASL::Perl::DIGEST_MD5 Affected: 2.04 , ≤ 2.1800 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-40918",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-16T20:48:38.205622Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-16T20:48:52.853Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-04T21:10:18.064Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/07/16/5"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://cpan.org/modules",
          "defaultStatus": "unaffected",
          "packageName": "Authen-SASL",
          "product": "Authen::SASL::Perl::DIGEST_MD5",
          "programFiles": [
            "DIGEST_MD5.pm"
          ],
          "repo": "https://github.com/gbarr/perl-authen-sasl",
          "vendor": "EHUELS",
          "versions": [
            {
              "lessThanOrEqual": "2.1800",
              "status": "affected",
              "version": "2.04",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cdiv\u003eAuthen::SASL::Perl::DIGEST_MD5 versions 2.04 through 2.1800 for Perl generates the cnonce insecurely.\u003c/div\u003e\u003cdiv\u003eThe cnonce (client nonce) is generated from an MD5 hash of the PID, the epoch time and the built-in rand function. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.\u003c/div\u003e\u003cdiv\u003eAccording to RFC 2831, \u003cq\u003eThe cnonce-value is an opaque quoted string value provided by the client and used by both client and server to avoid chosen plaintext attacks, and to provide mutual authentication. The security of the implementation\n depends on a good choice. It is RECOMMENDED that it contain at least 64 bits of entropy.\u003c/q\u003e\u003c/div\u003e"
            }
          ],
          "value": "Authen::SASL::Perl::DIGEST_MD5 versions 2.04 through 2.1800 for Perl generates the cnonce insecurely.\n\nThe cnonce (client nonce) is generated from an MD5 hash of the PID, the epoch time and the built-in rand function. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.\n\nAccording to RFC 2831, The cnonce-value is an opaque quoted string value provided by the client and used by both client and server to avoid chosen plaintext attacks, and to provide mutual authentication. The security of the implementation\n depends on a good choice. It is RECOMMENDED that it contain at least 64 bits of entropy."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-340",
              "description": "CWE-340 Generation of Predictable Numbers or Identifiers",
              "lang": "en",
              "type": "CWE"
            },
            {
              "cweId": "CWE-338",
              "description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-07T09:08:47.396Z",
        "orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
        "shortName": "CPANSec"
      },
      "references": [
        {
          "url": "https://metacpan.org/release/EHUELS/Authen-SASL-2.1900/changes"
        },
        {
          "url": "https://metacpan.org/dist/Authen-SASL/source/lib/Authen/SASL/Perl/DIGEST_MD5.pm#L263"
        },
        {
          "url": "https://datatracker.ietf.org/doc/html/rfc2831"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://security.metacpan.org/patches/A/Authen-SASL/2.1800/CVE-2025-40918-r1.patch"
        },
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://github.com/gbarr/perl-authen-sasl/pull/22"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cdiv\u003eUsers should upgrade to version 2.1900 or later.\u003c/div\u003e"
            }
          ],
          "value": "Users should upgrade to version 2.1900 or later."
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Authen::SASL::Perl::DIGEST_MD5 versions 2.04 through 2.1800 for Perl generates the cnonce insecurely",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
    "assignerShortName": "CPANSec",
    "cveId": "CVE-2025-40918",
    "datePublished": "2025-07-16T14:00:12.777Z",
    "dateReserved": "2025-04-16T09:05:34.361Z",
    "dateUpdated": "2025-11-04T21:10:18.064Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-40916 (GCVE-0-2025-40916)

Vulnerability from cvelistv5 – Published: 2025-06-16 11:01 – Updated: 2025-06-16 13:31
VLAI
Title
Mojolicious::Plugin::CaptchaPNG version 1.05 for Perl uses a weak random number source for generating the captcha text
Summary
Mojolicious::Plugin::CaptchaPNG version 1.05 for Perl uses a weak random number source for generating the captcha. That version uses the built-in rand() function for generating the captcha text as well as image noise, which is insecure.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator
  • CWE-804 - Guessable CAPTCHA
Assigner
Impacted products
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 9.1,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-40916",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-16T13:31:12.359144Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-16T13:31:45.621Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://cpan.org/modules",
          "defaultStatus": "unaffected",
          "packageName": "Mojolicious-Plugin-CaptchaPNG",
          "product": "Mojolicious::Plugin::CaptchaPNG",
          "repo": "https://github.com/gryphonshafer/Mojo-Plugin-CaptchaPNG",
          "vendor": "GRYPHON",
          "versions": [
            {
              "status": "affected",
              "version": "1.05",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cdiv\u003eMojolicious::Plugin::CaptchaPNG version 1.05 for Perl uses a weak random number source for generating the captcha text.\u003c/div\u003e\u003cdiv\u003eThat version uses the built-in rand() function for generating the captcha text as well as image noise, which is insecure.\u003c/div\u003e"
            }
          ],
          "value": "Mojolicious::Plugin::CaptchaPNG version 1.05 for Perl uses a weak random number source for generating the captcha.\n\nThat version uses the built-in rand() function for generating the captcha text as well as image noise, which is insecure."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-338",
              "description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator",
              "lang": "en",
              "type": "CWE"
            },
            {
              "cweId": "CWE-804",
              "description": "CWE-804 Guessable CAPTCHA",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-16T11:01:08.871Z",
        "orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
        "shortName": "CPANSec"
      },
      "references": [
        {
          "url": "https://metacpan.org/release/GRYPHON/Mojolicious-Plugin-CaptchaPNG-1.04/diff/GRYPHON/Mojolicious-Plugin-CaptchaPNG-1.05/lib/Mojolicious/Plugin/CaptchaPNG.pm"
        },
        {
          "url": "https://metacpan.org/release/GRYPHON/Mojolicious-Plugin-CaptchaPNG-1.06/changes"
        },
        {
          "url": "https://metacpan.org/pod/perlfunc#rand"
        },
        {
          "url": "https://security.metacpan.org/docs/guides/random-data-for-security.html"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cdiv\u003eUsers should upgrade to version 1.06 or later.\u003c/div\u003e"
            }
          ],
          "value": "Users should upgrade to version 1.06 or later."
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Mojolicious::Plugin::CaptchaPNG version 1.05 for Perl uses a weak random number source for generating the captcha text",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
    "assignerShortName": "CPANSec",
    "cveId": "CVE-2025-40916",
    "datePublished": "2025-06-16T11:01:08.871Z",
    "dateReserved": "2025-04-16T09:05:34.361Z",
    "dateUpdated": "2025-06-16T13:31:45.621Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-40915 (GCVE-0-2025-40915)

Vulnerability from cvelistv5 – Published: 2025-06-11 17:09 – Updated: 2025-06-11 17:57
VLAI
Title
Mojolicious::Plugin::CSRF 1.03 for Perl uses a weak random number source for generating CSRF tokens
Summary
Mojolicious::Plugin::CSRF 1.03 for Perl uses a weak random number source for generating CSRF tokens. That version of the module generates tokens as an MD5 of the process id, the current time, and a single call to the built-in rand() function.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator
Assigner
Impacted products
Vendor Product Version
GRYPHON Mojolicious::Plugin::CSRF Affected: 1.03 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "NETWORK",
              "availabilityImpact": "LOW",
              "baseScore": 7,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-40915",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-11T17:52:49.542565Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-11T17:57:28.026Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://cpan.org/modules",
          "defaultStatus": "unaffected",
          "packageName": "Mojolicious-Plugin-CSRF",
          "product": "Mojolicious::Plugin::CSRF",
          "repo": "https://github.com/gryphonshafer/Mojo-Plugin-CSRF",
          "vendor": "GRYPHON",
          "versions": [
            {
              "status": "affected",
              "version": "1.03",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cdiv\u003eMojolicious::Plugin::CSRF 1.03 for Perl uses a weak random number source for generating CSRF tokens.\u003c/div\u003e\u003cdiv\u003eThat version of the module generates tokens as an MD5 of the process id, the current time, and a single call to the built-in rand() function.\u003c/div\u003e"
            }
          ],
          "value": "Mojolicious::Plugin::CSRF 1.03 for Perl uses a weak random number source for generating CSRF tokens.\n\nThat version of the module generates tokens as an MD5 of the process id, the current time, and a single call to the built-in rand() function."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-62",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-62: Cross Site Request Forgery"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-338",
              "description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-11T17:09:50.664Z",
        "orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
        "shortName": "CPANSec"
      },
      "references": [
        {
          "url": "https://metacpan.org/release/GRYPHON/Mojolicious-Plugin-CSRF-1.04/diff/GRYPHON/Mojolicious-Plugin-CSRF-1.03"
        },
        {
          "url": "https://metacpan.org/release/GRYPHON/Mojolicious-Plugin-CSRF-1.04/changes"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Users of version 1.03 should upgrade to 1.04."
            }
          ],
          "value": "Users of version 1.03 should upgrade to 1.04."
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Mojolicious::Plugin::CSRF 1.03 for Perl uses a weak random number source for generating CSRF tokens",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
    "assignerShortName": "CPANSec",
    "cveId": "CVE-2025-40915",
    "datePublished": "2025-06-11T17:09:50.664Z",
    "dateReserved": "2025-04-16T09:05:34.361Z",
    "dateUpdated": "2025-06-11T17:57:28.026Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-40905 (GCVE-0-2025-40905)

Vulnerability from cvelistv5 – Published: 2026-02-12 23:39 – Updated: 2026-02-17 15:05
VLAI
Title
WWW::OAuth 1.000 and earlier for Perl uses insecure rand() function for cryptographic functions
Summary
WWW::OAuth 1.000 and earlier for Perl uses the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Assigner
Impacted products
Vendor Product Version
DBOOK WWW::OAuth Affected: 0 , ≤ 1.000 (custom)
Create a notification for this product.
Credits
Robert Rothenberg (RRWO)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-02-13T19:16:45.884Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/02/13/1"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "LOW",
              "baseScore": 7.3,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-40905",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-17T15:05:08.725825Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-17T15:05:12.318Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://cpan.org/modules",
          "defaultStatus": "unaffected",
          "packageName": "WWW-OAuth",
          "product": "WWW::OAuth",
          "programFiles": [
            "lib/WWW/OAuth.pm"
          ],
          "vendor": "DBOOK",
          "versions": [
            {
              "lessThanOrEqual": "1.000",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Robert Rothenberg (RRWO)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "WWW::OAuth 1.000 and earlier for Perl uses the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions."
            }
          ],
          "value": "WWW::OAuth 1.000 and earlier for Perl uses the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-338",
              "description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-12T23:39:28.994Z",
        "orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
        "shortName": "CPANSec"
      },
      "references": [
        {
          "url": "https://perldoc.perl.org/functions/rand"
        },
        {
          "url": "https://security.metacpan.org/docs/guides/random-data-for-security.html"
        },
        {
          "url": "https://metacpan.org/release/DBOOK/WWW-OAuth-1.000/source/lib/WWW/OAuth.pm#L86"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Upgrade to WWW::OAuth 1.001 or higher"
            }
          ],
          "value": "Upgrade to WWW::OAuth 1.001 or higher"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "WWW::OAuth 1.000 and earlier for Perl uses insecure rand() function for cryptographic functions",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
    "assignerShortName": "CPANSec",
    "cveId": "CVE-2025-40905",
    "datePublished": "2026-02-12T23:39:28.994Z",
    "dateReserved": "2025-04-16T09:05:34.360Z",
    "dateUpdated": "2026-02-17T15:05:12.318Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-27552 (GCVE-0-2025-27552)

Vulnerability from cvelistv5 – Published: 2025-03-26 11:08 – Updated: 2025-09-05 13:21
VLAI
Title
DBIx::Class::EncodedColumn until 0.00032 for Perl uses insecure rand() function for salting password hashes in Crypt/Eksblowfish/Bcrypt.pm
Summary
DBIx::Class::EncodedColumn use the rand() function, which is not cryptographically secure to salt password hashes. This vulnerability is associated with program files Crypt/Eksblowfish/Bcrypt.pm. This issue affects DBIx::Class::EncodedColumn until 0.00032.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
  • CWE-916 - Use of Password Hash With Insufficient Computational Effort
  • CWE-331 - Insufficient Entropy
Assigner
Impacted products
Vendor Product Version
WREIS DBIx::Class::EncodedColumn Affected: 0 , < 0.00032 (custom)
Create a notification for this product.
Credits
Robert Rothenberg
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "NONE",
              "baseScore": 4,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-27552",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-26T19:12:59.308361Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-26T19:13:10.116Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://cpan.org/modules",
          "defaultStatus": "unaffected",
          "packageName": "DBIx-Class-EncodedColumn",
          "product": "DBIx::Class::EncodedColumn",
          "programFiles": [
            "lib/DBIx/Class/EncodedColumn/Crypt/Eksblowfish/Bcrypt.pm"
          ],
          "repo": "https://github.com/wreis/DBIx-Class-EncodedColumn",
          "vendor": "WREIS",
          "versions": [
            {
              "lessThan": "0.00032",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Robert Rothenberg"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "DBIx::Class::EncodedColumn use the rand() function, which is not cryptographically secure to salt password hashes.\u003cbr\u003e\u003cbr\u003eThis vulnerability is associated with program files Crypt/Eksblowfish/Bcrypt.pm.\u003cbr\u003e\u003cbr\u003eThis issue affects DBIx::Class::EncodedColumn until 0.00032.\u003cbr\u003e"
            }
          ],
          "value": "DBIx::Class::EncodedColumn use the rand() function, which is not cryptographically secure to salt password hashes.\n\nThis vulnerability is associated with program files Crypt/Eksblowfish/Bcrypt.pm.\n\nThis issue affects DBIx::Class::EncodedColumn until 0.00032."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-338",
              "description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-916",
              "description": "CWE-916 Use of Password Hash With Insufficient Computational Effort",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-331",
              "description": "CWE-331 Insufficient Entropy",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-05T13:21:10.093Z",
        "orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
        "shortName": "CPANSec"
      },
      "references": [
        {
          "tags": [
            "related"
          ],
          "url": "https://security.metacpan.org/docs/guides/random-data-for-security.html"
        },
        {
          "tags": [
            "release-notes"
          ],
          "url": "https://metacpan.org/release/WREIS/DBIx-Class-EncodedColumn-0.00032/changes"
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "title": "DBIx::Class::EncodedColumn until 0.00032 for Perl uses insecure rand() function for salting password hashes in Crypt/Eksblowfish/Bcrypt.pm",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
    "assignerShortName": "CPANSec",
    "cveId": "CVE-2025-27552",
    "datePublished": "2025-03-26T11:08:11.434Z",
    "dateReserved": "2025-02-28T20:33:23.575Z",
    "dateUpdated": "2025-09-05T13:21:10.093Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-27551 (GCVE-0-2025-27551)

Vulnerability from cvelistv5 – Published: 2025-03-26 11:07 – Updated: 2025-09-05 13:20
VLAI
Title
DBIx::Class::EncodedColumn until 0.00032 for Perl uses insecure rand() function for salting password hashes in Digest.pm
Summary
DBIx::Class::EncodedColumn use the rand() function, which is not cryptographically secure to salt password hashes. This vulnerability is associated with program files lib/DBIx/Class/EncodedColumn/Digest.pm. This issue affects DBIx::Class::EncodedColumn until 0.00032.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
  • CWE-916 - Use of Password Hash With Insufficient Computational Effort
  • CWE-331 - Insufficient Entropy
Assigner
Impacted products
Vendor Product Version
WREIS DBIx::Class::EncodedColumn Affected: 0 , < 0.00032 (custom)
Create a notification for this product.
Credits
Robert Rothenberg
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "NONE",
              "baseScore": 4,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-27551",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-26T19:17:06.347290Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-26T19:17:11.321Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://cpan.org/modules",
          "defaultStatus": "unaffected",
          "modules": [
            "DBIx::Class::EncodedColumn::Digest"
          ],
          "packageName": "DBIx-Class-EncodedColumn",
          "product": "DBIx::Class::EncodedColumn",
          "programFiles": [
            "lib/DBIx/Class/EncodedColumn/Digest.pm"
          ],
          "repo": "https://github.com/wreis/DBIx-Class-EncodedColumn",
          "vendor": "WREIS",
          "versions": [
            {
              "lessThan": "0.00032",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Robert Rothenberg"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "DBIx::Class::EncodedColumn use the rand() function, which is not cryptographically secure to salt password hashes.\u003cbr\u003e\u003cbr\u003eThis vulnerability is associated with program files lib/DBIx/Class/EncodedColumn/Digest.pm.\u003cbr\u003e\u003cbr\u003eThis issue affects DBIx::Class::EncodedColumn until 0.00032.\u003cbr\u003e"
            }
          ],
          "value": "DBIx::Class::EncodedColumn use the rand() function, which is not cryptographically secure to salt password hashes.\n\nThis vulnerability is associated with program files lib/DBIx/Class/EncodedColumn/Digest.pm.\n\nThis issue affects DBIx::Class::EncodedColumn until 0.00032."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-338",
              "description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-916",
              "description": "CWE-916 Use of Password Hash With Insufficient Computational Effort",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-331",
              "description": "CWE-331 Insufficient Entropy",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-05T13:20:43.993Z",
        "orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
        "shortName": "CPANSec"
      },
      "references": [
        {
          "tags": [
            "related"
          ],
          "url": "https://security.metacpan.org/docs/guides/random-data-for-security.html"
        },
        {
          "tags": [
            "release-notes"
          ],
          "url": "https://metacpan.org/release/WREIS/DBIx-Class-EncodedColumn-0.00032/changes"
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "title": "DBIx::Class::EncodedColumn until 0.00032 for Perl uses insecure rand() function for salting password hashes in Digest.pm",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
    "assignerShortName": "CPANSec",
    "cveId": "CVE-2025-27551",
    "datePublished": "2025-03-26T11:07:43.089Z",
    "dateReserved": "2025-02-28T20:33:23.575Z",
    "dateUpdated": "2025-09-05T13:20:43.993Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-26379 (GCVE-0-2025-26379)

Vulnerability from cvelistv5 – Published: 2025-12-22 14:21 – Updated: 2025-12-22 16:19
VLAI
Title
Johnson Controls IQ Panels2, 2+, IQHub, IQPanel 4, PowerG use of Cryptographically Weak Pseudo-Random Number Generator
Summary
Use of a weak pseudo-random number generator, which may allow an attacker to read or inject encrypted PowerG packets.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Assigner
jci
Impacted products
Vendor Product Version
Johnson Controls IQ Panels2, 2+, IQHub, IQPanel 4, PowerG Affected: IQ Panels2 , ≤ 2 (custom)
Affected: IQ Panel 2+ , ≤ 2+ (custom)
Affected: IQHub (custom)
Affected: IQPanel 4 , ≤ 4.6.0 (custom)
Affected: PowerG , ≤ 53.02 (custom)
Create a notification for this product.
Date Public
2025-12-16 14:11
Credits
James Chambersof NCC Group and Sultan Qasim Khan NCC Group
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-26379",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-22T16:19:13.074335Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-22T16:19:25.130Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "IQ Panels2, 2+, IQHub, IQPanel 4, PowerG",
          "vendor": "Johnson Controls",
          "versions": [
            {
              "lessThanOrEqual": "2",
              "status": "affected",
              "version": "IQ Panels2",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "2+",
              "status": "affected",
              "version": "IQ Panel 2+",
              "versionType": "custom"
            },
            {
              "status": "affected",
              "version": "IQHub",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "4.6.0",
              "status": "affected",
              "version": "IQPanel 4",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "53.02",
              "status": "affected",
              "version": "PowerG",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "James Chambersof NCC Group"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "and Sultan Qasim Khan NCC Group"
        }
      ],
      "datePublic": "2025-12-16T14:11:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Use of a weak pseudo-random number generator, which may allow an attacker to read or inject encrypted PowerG packets.\u003cbr\u003e"
            }
          ],
          "value": "Use of a weak pseudo-random number generator, which may allow an attacker to read or inject encrypted PowerG packets."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-59",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-59 Session Credential Falsification through Prediction"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "ADJACENT",
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:L/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-338",
              "description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-22T14:21:29.597Z",
        "orgId": "7281d04a-a537-43df-bfb4-fa4110af9d01",
        "shortName": "jci"
      },
      "references": [
        {
          "url": "https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories"
        },
        {
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-350-02"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "a.  Update IQ Panel 4\u2019s to version 4.6.1/4.6.1i\u003cbr\u003eb.  Devices that support PowerG+ should use PowerG v53.05 or later. \u003cbr\u003ec.  During the installation or enrollment of PowerG+ devices, enter the PIN code in the PIN Code field on the sensor enrollment screen. For additional security, Johnson Controls recommends only authorized company personnel or integrators be present during the pairing process\u003cbr\u003ed.  Replace all End-of-Life Products (IQ Panel 2, IQ Panel 2+, IQ Hub) with the latest IQ Panel 4 using firmware version 4.6.1 or greater\u003cbr\u003e\u003cbr\u003e"
            }
          ],
          "value": "a.  Update IQ Panel 4\u2019s to version 4.6.1/4.6.1i\nb.  Devices that support PowerG+ should use PowerG v53.05 or later. \nc.  During the installation or enrollment of PowerG+ devices, enter the PIN code in the PIN Code field on the sensor enrollment screen. For additional security, Johnson Controls recommends only authorized company personnel or integrators be present during the pairing process\nd.  Replace all End-of-Life Products (IQ Panel 2, IQ Panel 2+, IQ Hub) with the latest IQ Panel 4 using firmware version 4.6.1 or greater"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Johnson Controls IQ Panels2, 2+, IQHub, IQPanel 4, PowerG use of Cryptographically Weak Pseudo-Random Number Generator",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7281d04a-a537-43df-bfb4-fa4110af9d01",
    "assignerShortName": "jci",
    "cveId": "CVE-2025-26379",
    "datePublished": "2025-12-22T14:21:29.597Z",
    "dateReserved": "2025-02-07T14:15:53.879Z",
    "dateUpdated": "2025-12-22T16:19:25.130Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-22376 (GCVE-0-2025-22376)

Vulnerability from cvelistv5 – Published: 2025-01-03 00:00 – Updated: 2025-01-21 17:49
VLAI
Summary
In Net::OAuth::Client in the Net::OAuth package before 0.29 for Perl, the default nonce is a 32-bit integer generated from the built-in rand() function, which is not cryptographically strong.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Assigner
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "LOW",
              "baseScore": 5.3,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-22376",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-21T14:04:35.627555Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-338",
                "description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-21T17:49:18.077Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "url": "https://metacpan.org/release/RRWO/Net-OAuth-0.29/diff/KGRENNAN/Net-OAuth-0.28#lib/Net/OAuth/Client.pm"
          },
          {
            "url": "https://www.vulnarium.com/blogpost-2025-01-05"
          },
          {
            "url": "https://github.com/keeth/Net-OAuth/commit/2aa25e04aadab247ae4063363fcee177161e1f42"
          },
          {
            "url": "https://datatracker.ietf.org/doc/html/rfc5849#section-4.10"
          },
          {
            "url": "https://datatracker.ietf.org/doc/html/rfc5849#section-3.3"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In Net::OAuth::Client in the Net::OAuth package before 0.29 for Perl, the default nonce is a 32-bit integer generated from the built-in rand() function, which is not cryptographically strong."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-338",
              "description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-03T21:14:03.744Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://metacpan.org/release/RRWO/Net-OAuth-0.29/changes"
        },
        {
          "url": "https://metacpan.org/release/KGRENNAN/Net-OAuth-0.28/source/lib/Net/OAuth/Client.pm#L260"
        }
      ],
      "x_generator": {
        "engine": "enrichogram 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2025-22376",
    "datePublished": "2025-01-03T00:00:00.000Z",
    "dateReserved": "2025-01-03T00:00:00.000Z",
    "dateUpdated": "2025-01-21T17:49:18.077Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Mitigation
Implementation

Use functions or hardware which use a hardware-based random number generation for all crypto. This is the recommended solution. Use CyptGenRandom on Windows, or hw_rand() on Linux.

No CAPEC attack patterns related to this CWE.