216.73.217.50

CVE-2026-5082

· Published 08/04/2026 06:16 · Modified 08/04/2026 21:26

Labels: CVE-2026-5082 2026-04-089b29abf9-4ab0-4765-b253-1875cd9b441eCVE-2026-5082CWE-338

Essential information

Published
08/04/2026 06:16
Modified
08/04/2026 21:26
Author
Creator
CVSS
5.3 MEDIUM (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVSS metrics

Description

Amon2::Plugin::Web::CSRFDefender versions from 7.00 through 7.03 for Perl generate an insecure session id. The generate_session_id function will attempt to read bytes from the /dev/urandom device, but if that is unavailable then it generates bytes using SHA-1 hash seeded with the built-in rand() function, the PID, and the high resolution epoch time. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Amon2::Plugin::Web::CSRFDefender versions before 7.00 were part of Amon2, which was vulnerable to insecure session ids due to CVE-2025-15604. Note that the author has deprecated this module.

NVD status

Status
Undergoing Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
9b29abf9-4ab0-4765-b253-1875cd9b441e
NVD
View on NVD

Affected products (CPE)

ProductCPE
amon2 / plugin web csrfdefender cpe:2.3:a:amon2:plugin_web_csrfdefender:7.00-7.03:*:*:*:*:*:*:*
amon2 / plugin web csrfdefender cpe:2.3:a:amon2:plugin_web_csrfdefender:<7.00:*:*:*:*:*:*:*

References