216.73.217.80

CVE-2026-5084

· Published 11/05/2026 08:16 · Modified 12/05/2026 16:48

Labels: CVE-2026-5084 2026-05-119b29abf9-4ab0-4765-b253-1875cd9b441eCVE-2026-5084CWE-338

Essential information

Published
11/05/2026 08:16
Modified
12/05/2026 16:48
Author
Creator
CVSS
6.5 MEDIUM (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CVSS metrics

Description

WebDyne::Session versions through 2.075 for Perl generates the session id insecurely. The session handler generates the session id from an MD5 hash seeded with a call to the built-in rand() function. The rand function is passed a maximum value based on the process id, the epoch time and the reference address of the object, but this information will have no effect on the overall quality of the seed of the message digest. The rand function is seeded by 32-bits and is predictable. It is considered unsuitable for cryptographic purposes. Predictable session ids could allow an attacker to gain access to systems. Note that WebDyne::Session versions 1.042 and earlier appear to be in separate distributions from WebDyne.

NVD status

Status
Deferred — CVE has been recently published to the CVE List and has been received by the NVD.
Source
9b29abf9-4ab0-4765-b253-1875cd9b441e
NVD
View on NVD

Affected products (CPE)

ProductCPE
webdyne / webdyne session cpe:2.3:a:webdyne:webdyne_session:<2.075:*:*:*:*:*:*

References