Description
Amazon::Credentials versions through 1.2.0 for Perl uses rand to generate encryption keys.

Amazon::Credentials stores credentials in an obfuscated form to prevent access to the secrets from a data dump of the object.

Before version 1.3.0, the secrets were encrypted using a 64-bit key that was generated using the built-in rand function, which is predictable and unsuitable for cryptography.
Published: 2026-05-11
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Amazon::Credentials Perl module versions through 1.2.0 uses the built‑in rand function to create a 64‑bit encryption key, which is predictable and unsuitable for cryptographic purposes. Because secrets are stored in an obfuscated form using this key, an attacker who can generate the expected rand sequence can derive the key and decrypt the credentials, directly compromising the confidentiality of stored secrets without requiring additional access beyond what is needed to read the encrypted data. This weakness falls under the cryptographically weak key generation flaw (CWE‑338).

Affected Systems

All versions of the BIGFOOT:Amazon::Credentials Perl module up to and including 1.2.0 are affected, as the issue is present in the encryption logic used in those releases.

Risk and Exploitability

The vulnerability has no publicly known CVSS score or EPSS value, and it has not been listed in the CISA KEV catalog. However, the predictability of the rand‑based key allows a threat actor with read access to the encrypted credentials to compute the key. The attack vector is most likely local or application‑level, requiring the ability to read the obfuscated secrets, after which the attacker can decrypt them. The confidentiality impact is significant for any system that stores sensitive data using this module.

Generated by OpenCVE AI on May 11, 2026 at 21:05 UTC.

Remediation

Vendor Solution

Upgrade to version 1.3.0 or later.

OpenCVE Recommended Actions

  • Upgrade Amazon::Credentials to version 1.3.0 or later.
  • Rotate existing credentials and re‑encrypt them with a securely generated key.
  • Restrict file system permissions to ensure only the application can read the credential files.

Generated by OpenCVE AI on May 11, 2026 at 21:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Bigfoot
Bigfoot amazon::credentials
Vendors & Products Bigfoot
Bigfoot amazon::credentials

Mon, 11 May 2026 22:30:00 +0000

Type Values Removed Values Added
References

Mon, 11 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description Amazon::Credentials versions through 1.2.0 for Perl uses rand to generate encryption keys. Amazon::Credentials stores credentials in an obfuscated form to prevent access to the secrets from a data dump of the object. Before version 1.3.0, the secrets were encrypted using a 64-bit key that was generated using the built-in rand function, which is predictable and unsuitable for cryptography.
Title Amazon::Credentials versions through 1.2.0 for Perl uses rand to generate encryption keys
Weaknesses CWE-338
References

Subscriptions

Bigfoot Amazon::credentials
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-05-11T21:29:37.446Z

Reserved: 2026-04-12T17:24:50.568Z

Link: CVE-2026-6146

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-11T20:25:47.597

Modified: 2026-05-12T16:48:58.260

Link: CVE-2026-6146

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T09:22:24Z

Weaknesses