Description
Solstice::Session versions through 1440 for Perl generates session ids insecurely.

The _generateSessionID method returns an MD5 digest seeded by the epoch time, a random hash reference, a call to the built-in rand() function and the process id.

The same method is used in the _generateID method in Solstice::Subsession, which is part of the same distribution.

The epoch time may be guessed, if it is not leaked in the HTTP Date header. Stringified hash refences will contain predictable content. The built-in rand() function is seeded by 16-bits and is unsuitable for security purposes. The process id comes from a small set of numbers.

Predictable session ids could allow an attacker to gain access to systems.
Published: 2026-04-13
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Session Hijacking via Predictable Session IDs
Action: Immediate Patch
AI Analysis

Impact

Versions of Solstice::Session up to 1440 generate session identifiers with insufficient entropy, combining the current epoch time, a stringified hash reference, Perl’s 16‑bit seeded rand() function, and the process ID, then hashing the result with MD5. This weakness is mapped to CWE‑338 and CWE‑340. The predictable session ids enable an attacker to guess or brute‑force valid identifiers, potentially gaining unauthorized access to protected resources and compromising confidentiality and integrity.

Affected Systems

The vulnerability affects the Perl distribution MCRAWFOR:Solstice::Session, including all releases through version 1440. Users deploying these versions in web or application servers are at risk unless they upgrade beyond the affected release line.

Risk and Exploitability

The exploit likelihood is high because the deterministic elements make session IDs sufficiently predictable for an attacker. Although no CVSS score is provided, the absence of a known exploit (EPSS not available, not in KEV) does not mitigate the risk; the attack vector is inferred to be remote via HTTP or similar protocols where session tokens are transmitted. The impact could extend across the entire system if the session ID is used to authenticate a user or process.

Generated by OpenCVE AI on April 13, 2026 at 08:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Seek and apply a newer release of Solstice::Session beyond version 1440 or a vendor‑issued patch that uses a cryptographically secure random number generator for session IDs
  • If an upgrade is not immediately possible, replace _generateSessionID with a function that uses per‑request high‑entropy cryptographic random data and a strong hash algorithm
  • Rotate all active session identifiers after remediation and invalidate any that may have been compromised
  • Monitor access logs for anomalous session activity and implement rate‑limiting or detection rules for repeated session ID requests

Generated by OpenCVE AI on April 13, 2026 at 08:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
References

Mon, 13 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Mcrawfor
Mcrawfor solstice::session
Vendors & Products Mcrawfor
Mcrawfor solstice::session

Mon, 13 Apr 2026 07:15:00 +0000

Type Values Removed Values Added
Description Solstice::Session versions through 1440 for Perl generates session ids insecurely. The _generateSessionID method returns an MD5 digest seeded by the epoch time, a random hash reference, a call to the built-in rand() function and the process id. The same method is used in the _generateID method in Solstice::Subsession, which is part of the same distribution. The epoch time may be guessed, if it is not leaked in the HTTP Date header. Stringified hash refences will contain predictable content. The built-in rand() function is seeded by 16-bits and is unsuitable for security purposes. The process id comes from a small set of numbers. Predictable session ids could allow an attacker to gain access to systems.
Title Solstice::Session versions through 1440 for Perl generates session ids insecurely
Weaknesses CWE-338
CWE-340
References

Subscriptions

Mcrawfor Solstice::session
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-04-13T15:30:06.627Z

Reserved: 2026-03-28T19:20:25.997Z

Link: CVE-2026-5085

cve-icon Vulnrichment

Updated: 2026-04-13T15:30:06.627Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-13T07:16:50.543

Modified: 2026-04-13T16:16:33.760

Link: CVE-2026-5085

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T12:52:39Z

Weaknesses