Description
Apache::API::Password versions through 0.5.2 for Perl can generate insecure random values for salts.

The _make_salt and _make_salt_bcrypt methods will attept to load Crypt::URandom and then Bytes::Random::Secure to generate random bytes for the salt. If those modules are unavailable, it will simply return 16 bytes generated with Perl's built-in rand function.

The rand function is unsuitable for cryptographic use.

These salts are used for password hashing.
Published: 2026-04-15
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Apache::API::Password module generates random salts for password hashing. If the modules Crypt::URandom or Bytes::Random::Secure are unavailable, the code falls back to Perl's built‑in rand function, which is unsuitable for cryptographic use. Salts generated in this manner are predictable and weaken the security of the stored password hashes, making it easier for an attacker to perform offline brute‑force or rainbow‑table attacks on compromised credentials.

Affected Systems

The vulnerability affects the JDEGUEST Apache::API::Password library, versions through 0.5.2 and earlier. Systems that use these versions for password hashing – such as Perl web applications that depend on this module – are impacted. No other vendor products are listed as affected in the CNA data.

Risk and Exploitability

The EPSS score is 0.00047 (<1%) and the vulnerability is not listed in CISA’s KEV catalog, indicating no confirmed active exploitation at this time. However, the weakness directly compromises the confidentiality of stored passwords, a high‑impact asset. If an attacker obtains a password database, the predictable salts significantly reduce the effort required for offline cracking. The likely attack vector is a compromised system or a credential dump, and the weakness is exploitable by any party with access to hashed passwords or the application source that uses the vulnerable library.

Generated by OpenCVE AI on May 2, 2026 at 08:16 UTC.

Remediation

Vendor Solution

Upgrade to version v0.5.3 or later, and install Crypt::URandom.

Vendor Workaround

Install Crypt::URandom.

OpenCVE Recommended Actions

  • Upgrade Apache::API::Password to version 0.5.3 or later, which implements secure random salt generation.
  • Install Crypt::URandom to provide a strong cryptographic random source for the module.
  • If an immediate upgrade is not possible, use Crypt::URandom as a temporary workaround to improve salt randomness.

Generated by OpenCVE AI on May 2, 2026 at 08:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 01 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description Apache::API::Password versions through v0.5.2 for Perl can generate insecure random values for salts. The _make_salt and _make_salt_bcrypt methods will attept to load Crypt::URandom and then Bytes::Random::Secure to generate random bytes for the salt. If those modules are unavailable, it will simply return 16 bytes generated with Perl's built-in rand function. The rand function is unsuitable for cryptographic use. These salts are used for password hashing. Apache::API::Password versions through 0.5.2 for Perl can generate insecure random values for salts. The _make_salt and _make_salt_bcrypt methods will attept to load Crypt::URandom and then Bytes::Random::Secure to generate random bytes for the salt. If those modules are unavailable, it will simply return 16 bytes generated with Perl's built-in rand function. The rand function is unsuitable for cryptographic use. These salts are used for password hashing.
Title Apache::API::Password versions through v0.5.2 for Perl can generate insecure random values for salts Apache::API::Password versions through 0.5.2 for Perl can generate insecure random values for salts

Thu, 16 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
References

Wed, 15 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Jdeguest
Jdeguest apache::api::password
Vendors & Products Jdeguest
Jdeguest apache::api::password

Wed, 15 Apr 2026 07:45:00 +0000

Type Values Removed Values Added
Description Apache::API::Password versions through v0.5.2 for Perl can generate insecure random values for salts. The _make_salt and _make_salt_bcrypt methods will attept to load Crypt::URandom and then Bytes::Random::Secure to generate random bytes for the salt. If those modules are unavailable, it will simply return 16 bytes generated with Perl's built-in rand function. The rand function is unsuitable for cryptographic use. These salts are used for password hashing.
Title Apache::API::Password versions through v0.5.2 for Perl can generate insecure random values for salts
Weaknesses CWE-338
References

Subscriptions

Jdeguest Apache::api::password
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-05-01T16:03:43.825Z

Reserved: 2026-03-28T19:31:47.729Z

Link: CVE-2026-5088

cve-icon Vulnrichment

Updated: 2026-04-15T17:24:20.860Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-15T08:16:16.790

Modified: 2026-05-01T16:16:32.900

Link: CVE-2026-5088

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T08:30:26Z

Weaknesses