CVE-2025-40933
Unknown
Unknown - Not Provided
BaseFortify
Publication date: 2025-09-17
Last updated on: 2025-09-18
Assigner: CPANSec
Description
Description
Apache::AuthAny::Cookie v0.201 or earlier for Perl generates session ids insecurely.
Session ids are generated using an MD5 hash of the epoch time and a call to the built-in rand function. The epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.
Predicable session ids could allow an attacker to gain access to systems.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | apache2_authany | 0.201 |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-340 | The product uses a scheme that generates numbers or identifiers that are more predictable than required. |
| CWE-338 | The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong. |
