{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-3255","assignerOrgId":"9b29abf9-4ab0-4765-b253-1875cd9b441e","state":"PUBLISHED","assignerShortName":"CPANSec","dateReserved":"2026-02-26T11:43:17.278Z","datePublished":"2026-02-27T20:12:35.414Z","dateUpdated":"2026-03-03T20:23:53.160Z"},"containers":{"cna":{"affected":[{"collectionURL":"https://cpan.org/modules","defaultStatus":"unaffected","packageName":"HTTP-Session2","product":"HTTP::Session2","repo":"https://github.com/tokuhirom/HTTP-Session2","vendor":"TOKUHIROM","versions":[{"lessThan":"1.12","status":"affected","version":"0","versionType":"custom"}]}],"descriptions":[{"lang":"en","value":"HTTP::Session2 versions before 1.12 for Perl for Perl may generate weak session ids using the rand() function.\n\nThe HTTP::Session2 session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand() function is unsuitable for cryptographic usage.\n\nHTTP::Session2 after version 1.02 will attempt to use the /dev/urandom device to generate a session id, but if the device is unavailable (for example, under Windows), then it will revert to the insecure method described above."}],"impacts":[{"capecId":"CAPEC-115","descriptions":[{"lang":"en","value":"CAPEC-115 Authentication Bypass"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-340","description":"CWE-340 Generation of Predictable Numbers or Identifiers","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-338","description":"CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"9b29abf9-4ab0-4765-b253-1875cd9b441e","shortName":"CPANSec","dateUpdated":"2026-02-27T20:12:35.414Z"},"references":[{"url":"https://metacpan.org/release/TOKUHIROM/HTTP-Session2-1.11/source/lib/HTTP/Session2/Random.pm#L35"},{"url":"https://metacpan.org/release/TOKUHIROM/HTTP-Session2-1.01/source/lib/HTTP/Session2/ServerStore.pm#L68"},{"tags":["release-notes"],"url":"https://metacpan.org/release/TOKUHIROM/HTTP-Session2-1.12/changes"},{"tags":["patch"],"url":"https://github.com/tokuhirom/HTTP-Session2/commit/9cfde4d7e0965172aef5dcfa3b03bb48df93e636.patch"}],"solutions":[{"lang":"en","value":"HTTP::Session2 has been deprecated since version 1.11. Migrate to a different solution."}],"source":{"discovery":"UNKNOWN"},"timeline":[{"lang":"en","time":"2014-07-31T00:00:00.000Z","value":"version 1.02 HTTP::Session2 released that attempts to use /dev/urandom."},{"lang":"en","time":"2026-02-24T00:00:00.000Z","value":"version 1.11 HTTP::Session2 deprecated"},{"lang":"en","time":"2026-02-26T00:00:00.000Z","value":"version 1.12 HTTP::Session2 released with a fix with a portable solution."}],"title":"HTTP::Session2 versions before 1.12 for Perl may generate weak session ids using the rand() function","workarounds":[{"lang":"en","value":"Upgrade to version 1.12 or later."}],"x_generator":{"engine":"cpansec-cna-tool 0.1"}},"adp":[{"title":"CVE Program Container","references":[{"url":"http://www.openwall.com/lists/oss-security/2026/02/27/12"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2026-02-28T00:15:39.689Z"}},{"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":6.5,"attackVector":"NETWORK","baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L","integrityImpact":"NONE","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"LOW","privilegesRequired":"NONE","confidentialityImpact":"LOW"}},{"other":{"type":"ssvc","content":{"timestamp":"2026-03-03T20:23:27.914632Z","id":"CVE-2026-3255","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-03-03T20:23:53.160Z"}}]}}