Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    2 vulnerabilities by ASPEER

    CVE-2026-5084 (GCVE-0-2026-5084)

    Vulnerability from nvd – Published: 2026-05-11 06:37 – Updated: 2026-05-11 16:53
    VLAI
    Title
    WebDyne::Session versions through 2.075 for Perl generates the session id insecurely
    Summary
    WebDyne::Session versions through 2.075 for Perl generates the session id insecurely. The session handler generates the session id from an MD5 hash seeded with a call to the built-in rand() function. The rand function is passed a maximum value based on the process id, the epoch time and the reference address of the object, but this information will have no effect on the overall quality of the seed of the message digest. The rand function is seeded by 32-bits and is predictable. It is considered unsuitable for cryptographic purposes. Predictable session ids could allow an attacker to gain access to systems. Note that WebDyne::Session versions 1.042 and earlier appear to be in separate distributions from WebDyne.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-340 - Generation of Predictable Numbers or Identifiers
    • CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator
    Assigner
    Impacted products
    Vendor Product Version
    ASPEER WebDyne::Session Affected: 0 , ≤ 2.075 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 6.5,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5084",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-11T16:24:24.075813Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-11T16:24:27.484Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2026-05-11T16:53:23.622Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2026/05/11/3"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://cpan.org/modules",
              "defaultStatus": "unaffected",
              "packageName": "WebDyne",
              "product": "WebDyne::Session",
              "programFiles": [
                "lib/WebDyne/Session.pm"
              ],
              "programRoutines": [
                {
                  "name": "WebDyne::Session::handler"
                }
              ],
              "repo": "https://github.com/aspeer/WebDyne",
              "vendor": "ASPEER",
              "versions": [
                {
                  "lessThanOrEqual": "2.075",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "WebDyne::Session versions through 2.075 for Perl generates the session id insecurely.\n\nThe session handler generates the session id from an MD5 hash seeded with a call to the built-in rand() function. The rand function is passed a maximum value based on the process id, the epoch time and the reference address of the object, but this information will have no effect on the overall quality of the seed of the message digest.\n\nThe rand function is seeded by 32-bits and is predictable. It is considered unsuitable for cryptographic purposes.\n\nPredictable session ids could allow an attacker to gain access to systems.\n\nNote that WebDyne::Session versions 1.042 and earlier appear to be in separate distributions from WebDyne."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-102",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-102 Session Sidejacking"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-340",
                  "description": "CWE-340 Generation of Predictable Numbers or Identifiers",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-338",
                  "description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-11T06:37:19.384Z",
            "orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
            "shortName": "CPANSec"
          },
          "references": [
            {
              "url": "https://metacpan.org/release/ASPEER/WebDyne-2.075/source/lib/WebDyne/Session.pm#L120"
            },
            {
              "url": "https://webdyne.org"
            },
            {
              "tags": [
                "technical-description"
              ],
              "url": "https://security.metacpan.org/docs/guides/random-data-for-security.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "WebDyne::Session versions through 2.075 for Perl generates the session id insecurely",
          "x_generator": {
            "engine": "cpansec-cna-tool 0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
        "assignerShortName": "CPANSec",
        "cveId": "CVE-2026-5084",
        "datePublished": "2026-05-11T06:37:19.384Z",
        "dateReserved": "2026-03-28T19:18:57.110Z",
        "dateUpdated": "2026-05-11T16:53:23.622Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-5084 (GCVE-0-2026-5084)

    Vulnerability from cvelistv5 – Published: 2026-05-11 06:37 – Updated: 2026-05-11 16:53
    VLAI
    Title
    WebDyne::Session versions through 2.075 for Perl generates the session id insecurely
    Summary
    WebDyne::Session versions through 2.075 for Perl generates the session id insecurely. The session handler generates the session id from an MD5 hash seeded with a call to the built-in rand() function. The rand function is passed a maximum value based on the process id, the epoch time and the reference address of the object, but this information will have no effect on the overall quality of the seed of the message digest. The rand function is seeded by 32-bits and is predictable. It is considered unsuitable for cryptographic purposes. Predictable session ids could allow an attacker to gain access to systems. Note that WebDyne::Session versions 1.042 and earlier appear to be in separate distributions from WebDyne.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-340 - Generation of Predictable Numbers or Identifiers
    • CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator
    Assigner
    Impacted products
    Vendor Product Version
    ASPEER WebDyne::Session Affected: 0 , ≤ 2.075 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 6.5,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5084",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-11T16:24:24.075813Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-11T16:24:27.484Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2026-05-11T16:53:23.622Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2026/05/11/3"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://cpan.org/modules",
              "defaultStatus": "unaffected",
              "packageName": "WebDyne",
              "product": "WebDyne::Session",
              "programFiles": [
                "lib/WebDyne/Session.pm"
              ],
              "programRoutines": [
                {
                  "name": "WebDyne::Session::handler"
                }
              ],
              "repo": "https://github.com/aspeer/WebDyne",
              "vendor": "ASPEER",
              "versions": [
                {
                  "lessThanOrEqual": "2.075",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "WebDyne::Session versions through 2.075 for Perl generates the session id insecurely.\n\nThe session handler generates the session id from an MD5 hash seeded with a call to the built-in rand() function. The rand function is passed a maximum value based on the process id, the epoch time and the reference address of the object, but this information will have no effect on the overall quality of the seed of the message digest.\n\nThe rand function is seeded by 32-bits and is predictable. It is considered unsuitable for cryptographic purposes.\n\nPredictable session ids could allow an attacker to gain access to systems.\n\nNote that WebDyne::Session versions 1.042 and earlier appear to be in separate distributions from WebDyne."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-102",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-102 Session Sidejacking"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-340",
                  "description": "CWE-340 Generation of Predictable Numbers or Identifiers",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-338",
                  "description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-11T06:37:19.384Z",
            "orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
            "shortName": "CPANSec"
          },
          "references": [
            {
              "url": "https://metacpan.org/release/ASPEER/WebDyne-2.075/source/lib/WebDyne/Session.pm#L120"
            },
            {
              "url": "https://webdyne.org"
            },
            {
              "tags": [
                "technical-description"
              ],
              "url": "https://security.metacpan.org/docs/guides/random-data-for-security.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "WebDyne::Session versions through 2.075 for Perl generates the session id insecurely",
          "x_generator": {
            "engine": "cpansec-cna-tool 0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
        "assignerShortName": "CPANSec",
        "cveId": "CVE-2026-5084",
        "datePublished": "2026-05-11T06:37:19.384Z",
        "dateReserved": "2026-03-28T19:18:57.110Z",
        "dateUpdated": "2026-05-11T16:53:23.622Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }