oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2026-47373: Crypt::SaltedHash versions through 0.09 for Perl is susceptible to timing attacks

From: Robert Rothenberg <rrwo () cpansec org>
Date: Wed, 20 May 2026 21:27:19 +0100
========================================================================
CVE-2026-47373                                       CPAN Security Group
========================================================================

        CVE ID:  CVE-2026-47373
  Distribution:  Crypt-SaltedHash
      Versions:  through 0.09

      MetaCPAN:  https://metacpan.org/dist/Crypt-SaltedHash
      VCS Repo:  https://github.com/robrwo/perl-Crypt-SaltedHash


Crypt::SaltedHash versions through 0.09 for Perl is susceptible to
timing attacks

Description
-----------
Crypt::SaltedHash versions through 0.09 for Perl is susceptible to
timing attacks.

These versions use Perl's built-in eq comparison. Discrepencies in
timing could be used to guess the underlying hash.

Problem types
-------------
- CWE-208 Observable Timing Discrepancy

Solutions
---------
Upgrade to version 0.10 or later.


References
----------
https://metacpan.org/release/RRWO/Crypt-SaltedHash-0.10/changes
https://github.com/robrwo/perl-Crypt-SaltedHash/commit/c07bfc5c23185b0667233d0f2e1252d81f1f027a.patch
Previous By Date Next
Previous By Thread Next

Current thread: