Description
Solstice::Session versions through 1440 for Perl generates session ids insecurely.

The _generateSessionID method returns an MD5 digest seeded by the epoch time, a random hash reference, a call to the built-in rand() function and the process id.

The same method is used in the _generateID method in Solstice::Subsession, which is part of the same distribution.

The epoch time may be guessed, if it is not leaked in the HTTP Date header. Stringified hash refences will contain predictable content. The built-in rand() function is seeded by 16-bits and is unsuitable for security purposes. The process id comes from a small set of numbers.

Predictable session ids could allow an attacker to gain access to systems.
Published: 2026-04-13
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Session hijacking via predictable session IDs
Action: Mitigate
AI Analysis

Impact

The _generateSessionID method in Solstice::Session and its counterpart in Solstice::Subsession produce session identifiers by concatenating the current epoch time, a stringified hash reference, the built‑in rand() function, and the process ID, then hashing the result with MD5. Because the epoch time can be guessed, the hash reference is deterministic, rand() provides only 16 bits of entropy, and process IDs are drawn from a small set, the resulting token is highly predictable. This weakness enables an attacker to guess valid session identifiers and impersonate legitimate users, thereby gaining unauthorized access to protected resources. The flaw falls under the weaknesses of predictable random number generation (CWE‑338) and inadequate entropy sources (CWE‑340).

Affected Systems

All releases of the Solstice::Session module up to and including version 1440 distributed by MCRAWFOR on CPAN are affected. The Solstice::Subsession module, which shares the same token generation logic, is also vulnerable. Applications that rely on these modules for session handling are at risk, and no later release is documented that resolves the issue.

Risk and Exploitability

The CVSS score of 9.1 classifies the vulnerability as critical, indicating that successful exploitation results in full system compromise. The EPSS score of less than 1% suggests that, at present, the likelihood of exploitation is low, but the high severity still demands attention. The flaw does not appear in the CISA Known Exploited Vulnerabilities catalog, implying no publicly documented exploits yet. A likely attack vector is a remote network attacker who can observe or guess session identifiers transmitted in cookies or URLs. Because the token is based on components that can be predicted or brute‑forced, an attacker can attempt to guess a valid session ID with minimal effort, especially if the HTTP Date header exposes the epoch time or if the application logs session IDs in a way that is readable to the attacker. Successful guessing would allow session hijacking and full access to the victim's privileged state.

Generated by OpenCVE AI on April 13, 2026 at 16:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Replace the vulnerable _generateSessionID logic with a cryptographically secure random generator, such as Perl's Crypt::Secure::Random or Data::UUID, to construct session identifiers.
  • Ensure that session identifiers are only transmitted over HTTPS and that they are not logged or exposed in referrer headers or URLs.
  • Regenerate session identifiers upon each successful authentication and periodically rotate them to limit the window of opportunity for an attacker.
  • If a newer release of Solstice::Session is released that addresses the issue, upgrade to that version as soon as possible.

Generated by OpenCVE AI on April 13, 2026 at 16:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Mcrawfor solstice\
CPEs cpe:2.3:a:mcrawfor:solstice\:\:session:1440:*:*:*:*:perl:*:*
Vendors & Products Mcrawfor solstice\

Mon, 13 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
References

Mon, 13 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Mcrawfor
Mcrawfor solstice::session
Vendors & Products Mcrawfor
Mcrawfor solstice::session

Mon, 13 Apr 2026 07:15:00 +0000

Type Values Removed Values Added
Description Solstice::Session versions through 1440 for Perl generates session ids insecurely. The _generateSessionID method returns an MD5 digest seeded by the epoch time, a random hash reference, a call to the built-in rand() function and the process id. The same method is used in the _generateID method in Solstice::Subsession, which is part of the same distribution. The epoch time may be guessed, if it is not leaked in the HTTP Date header. Stringified hash refences will contain predictable content. The built-in rand() function is seeded by 16-bits and is unsuitable for security purposes. The process id comes from a small set of numbers. Predictable session ids could allow an attacker to gain access to systems.
Title Solstice::Session versions through 1440 for Perl generates session ids insecurely
Weaknesses CWE-338
CWE-340
References

Subscriptions

Mcrawfor Solstice::session Solstice\
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-04-13T15:30:06.627Z

Reserved: 2026-03-28T19:20:25.997Z

Link: CVE-2026-5085

cve-icon Vulnrichment

Updated: 2026-04-13T15:30:06.627Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-13T07:16:50.543

Modified: 2026-04-23T15:02:38.933

Link: CVE-2026-5085

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:35:22Z

Weaknesses