Impact
The vulnerability in Crypt::DSA versions before 1.22 originates from a biased random number generator used to produce the DSA signing nonce and private key. The implementation forces the high bit on each generated value, creating a non‑uniform distribution that can be exploited using a lattice-based attack. An attacker who gathers a modest number of signatures signed with an affected key, together with the public key, can recover the private key, thereby compromising the integrity and authenticity guarantees of all signatures generated with that key.
Affected Systems
The affected product is TIMLEGGE Crypt::DSA for Perl, specifically all releases prior to 1.22. While the module was deprecated in version 1.20, any version before 1.22 remains vulnerable and should be avoided or updated.
Risk and Exploitability
Because the flaw permits private key recovery from collected signatures, the risk is high when the affected key is used in production or signatures are publicly observable. Exploitation requires the attacker to obtain a set of signatures and the corresponding public key, which is realistic for users signing logs or communications. The EPSS score of less than 1% indicates a low overall likelihood of exploitation, and the vulnerability is not listed in CISA KEV; however, the cryptographic weakness remains a serious threat when the key is in use.
OpenCVE Enrichment