CVE-2026-3256 in KTAT HTTP::Sessioninfo

Zusammenfassung (Englisch)

HTTP::Session versions through 0.53 for Perl defaults to using insecurely generated session ids. HTTP::Session defaults to using HTTP::Session::ID::SHA1 to generate session ids using a SHA-1 hash seeded with the built-in rand function, the high resolution epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. The distribution includes HTTP::session::ID::MD5 which contains a similar flaw, but uses the MD5 hash instead.

Zuständig

CPANSec

Reservieren

26.02.2026

Veröffentlichung

28.03.2026

Einträge

VulDB provides additional information and datapoints for this CVE:

ID	Schwachstelle	CWE	Aus	Mas	CVE
354086	KTAT HTTP::Session Session ID SHA1 Information Disclosure	340	Nicht definiert	Nicht definiert	CVE-2026-3256

Beschreibung

CPE

CWE

CVSS

Exploits

History

Diff

Verknüpfen

Threat Intelligence

API JSON

API XML

API CSV

◂ ZurückÜbersichtWeiter ▸

Want to stay up to date on a daily basis?

Enable the mail alert feature now!