Description
Ado::Sessions versions through 0.935 for Perl generates insecure session ids.

The session id is generated from a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.

Predicable session ids could allow an attacker to gain access to systems.

Note that Ado is no longer maintained, and has been removed from the CPAN index. It is still available on BackPAN.
Published: 2026-04-08
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Predictable Session IDs
Action: Replace Dependency
AI Analysis

Impact

Ado::Sessions versions through 0.935 for Perl produce session identifiers by hashing the output of Perl's built‑in rand() function together with the current epoch time and the process ID. Because rand() is not cryptographically secure, the PID comes from a limited set of numbers, and the epoch time can sometimes be inferred from the HTTP Date header, the resulting session IDs are low‑entropy and predictable. This weakness can allow an attacker to guess or brute‑force a valid session identifier, leading to unauthorized access to the application. The flaw is a classic instance of insufficient entropy in cryptographic material (CWE‑338) and predictable random number generation (CWE‑340).

Affected Systems

Systems that use BEROV's Ado::Sessions module in any Perl application are affected, specifically any installation of versions 0.935 or earlier. The module is no longer maintained and has been removed from the CPAN index, but remains available on BackPAN. Any Perl project that includes or requires the Ado::Sessions library inherits the predictable session ID weakness.

Risk and Exploitability

The CVSS base score for this issue is 5.3, indicating moderate severity. The EPSS score is less than 1 %, suggesting a low probability of exploitation in the short term. The vulnerability is not listed in CISA's KEV catalog. The likely attack vector is an attacker attempting to guess or brute‑force session identifiers, potentially aided by exposure of the epoch time through HTTP headers or log data. Exploitation would require access to the affected application's session store or a server that shares the same process ID space.

Generated by OpenCVE AI on April 8, 2026 at 18:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Replace Ado::Sessions with a maintained session management library that generates cryptographically secure identifiers.
  • If replacement is not immediately possible, override the ID generation to use a secure random source such as Crypt::Secure::random_bytes instead of Perl's rand().
  • Ensure the application does not expose the epoch time or other predictable data (e.g., HTTP Date headers) that could aid an attacker in guessing session identifiers.

Generated by OpenCVE AI on April 8, 2026 at 18:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Berov ado\
CPEs cpe:2.3:a:berov:ado\:\:sessions:*:*:*:*:*:perl:*:*
Vendors & Products Berov ado\

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Berov
Berov ado::sessions
Vendors & Products Berov
Berov ado::sessions

Wed, 08 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
References

Wed, 08 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 06:00:00 +0000

Type Values Removed Values Added
Description Ado::Sessions versions through 0.935 for Perl generates insecure session ids. The session id is generated from a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems. Note that Ado is no longer maintained, and has been removed from the CPAN index. It is still available on BackPAN.
Title Ado::Sessions versions through 0.935 for Perl generates insecure session ids
Weaknesses CWE-338
CWE-340
References

Subscriptions

Berov Ado::sessions Ado\
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-04-08T17:24:13.917Z

Reserved: 2026-03-28T19:14:30.969Z

Link: CVE-2026-5083

cve-icon Vulnrichment

Updated: 2026-04-08T17:24:13.917Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-08T06:16:29.163

Modified: 2026-04-23T15:04:27.973

Link: CVE-2026-5083

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:43:50Z

Weaknesses