Impact
CGI::Session::ID::md5 versions prior to 4.49 generate session identifiers by hashing the process id, the current epoch time, and Perl's built‑in rand() function. All three components are predictable and possess low entropy, allowing an attacker to enumerate or guess valid session IDs. This weakness corresponds to CWE‑338 (Insufficient Entropy) and CWE‑340 (Predictable Random Number Generation). An attacker who successfully predicts a session ID can create a forged session, thereby bypassing authentication and impersonating a legitimate user, compromising confidentiality and integrity of any data protected by that session.
Affected Systems
The vulnerability affects the MARKSTOS CGI::Session::ID::md5 module for Perl. Versions older than 4.49 are impacted. No specific operating system or server platform is listed, so any system running the affected module in a web context is at risk.
Risk and Exploitability
No CVSS score is provided, but the exploitability hinges on the ability to predict session identifiers from observable data. Because the epoch time and HTTP Date header can be observed, and the process ID is drawn from a small range, the risk is significant for public web applications. EPSS information is not available and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is via accessible web requests where an attacker can observe the Date header or otherwise approximate the server time. Once a session ID is guessed, an attacker can hijack the session and access or modify protected resources.
OpenCVE Enrichment