oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2026-6659: Crypt::PasswdMD5 versions through 1.42 for Perl generates insecure random values for salts

From: Robert Rothenberg <rrwo () cpansec org>
Date: Fri, 8 May 2026 18:23:37 +0100
========================================================================
CVE-2026-6659                                        CPAN Security Group
========================================================================

        CVE ID:  CVE-2026-6659
  Distribution:  Crypt-PasswdMD5
      Versions:  through 1.42

      MetaCPAN:  https://metacpan.org/dist/Crypt-PasswdMD5
      VCS Repo:  https://github.com/ronsavage/Crypt-PasswdMD5


Crypt::PasswdMD5 versions through 1.42 for Perl generates insecure
random values for salts

Description
-----------
Crypt::PasswdMD5 versions through 1.42 for Perl generates insecure
random values for salts.

The built-in rand function is predictable, and unsuitable for
cryptography.

Problem types
-------------
- CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator
  (PRNG)

References
----------
https://metacpan.org/release/RSAVAGE/Crypt-PasswdMD5-1.42/source/lib/Crypt/PasswdMD5.pm#L35-47
Previous By Date Next
Previous By Thread Next

Current thread: