PT-2025-32585 · Unknown+1 · Data::Uuid+2
Robrwo
·
Published
2025-01-01
·
Updated
2025-09-23
·
CVE-2025-40920
CVSS v3.1
8.6
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L |
Name of the Vulnerable Software and Affected Versions:
Catalyst::Authentication::Credential::HTTP versions 1.018 and earlier
Description:
The software generates nonces using the Perl Data::UUID library, which does not employ a strong cryptographic source for UUID generation. Data::UUID returns v3 UUIDs, which are derived from known information and are unsuitable for security purposes, as defined in RFC 9562. Nonces should be generated using a strong cryptographic source, as specified in RFC 7616.
Recommendations:
Update Catalyst::Authentication::Credential::HTTP to a version later than 1.018.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Catalyst::Authentication::Credential::Http
Data::Uuid
Debian