PT-2025-38160 · Kgoldov · Apache::Authany

Published

2025-09-17

Updated

2025-09-17

CVE-2025-40933

CVSS v3.1

7.5

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Apache::AuthAny::Cookie v0.201 or earlier for Perl generates session ids insecurely.

Session ids are generated using an MD5 hash of the epoch time and a call to the built-in rand function. The epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.

Predicable session ids could allow an attacker to gain access to systems.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-338CWE-340

Related Identifiers

CVE-2025-40933

Affected Products

Apache::Authany

PT-2025-38160 · Kgoldov · Apache::Authany

Weakness Enumeration

Related Identifiers

Affected Products

References · 2