DEBIAN-CVE-2025-40920

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2025-40920

Import Source

https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-40920.json

JSON Data

https://api.osv.dev/v1/vulns/DEBIAN-CVE-2025-40920

Upstream

CVE-2025-40920

Published

2025-08-11T21:15:28Z

Modified

2025-10-14T04:26:52.276456Z

Severity

8.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L CVSS Calculator

Summary

[none]

Details

Catalyst::Authentication::Credential::HTTP versions 1.018 and earlier for Perl generate nonces using the Perl Data::UUID library. * Data::UUID does not use a strong cryptographic source for generating UUIDs. * Data::UUID returns v3 UUIDs, which are generated from known information and are unsuitable for security, as per RFC 9562. * The nonces should be generated from a strong cryptographic source, as per RFC 7616.

References

https://security-tracker.debian.org/tracker/CVE-2025-40920

Affected packages

Debian:11

libcatalyst-authentication-credential-http-perl

Package

Name: libcatalyst-authentication-credential-http-perl
Purl: pkg:deb/debian/libcatalyst-authentication-credential-http-perl?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.018-1

1.018-2

1.018-3

1.018-4

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12

libcatalyst-authentication-credential-http-perl

Package

Name: libcatalyst-authentication-credential-http-perl
Purl: pkg:deb/debian/libcatalyst-authentication-credential-http-perl?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.018-2

1.018-3

1.018-4

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13

libcatalyst-authentication-credential-http-perl

Package

Name: libcatalyst-authentication-credential-http-perl
Purl: pkg:deb/debian/libcatalyst-authentication-credential-http-perl?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.018-3

1.018-4

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:14

libcatalyst-authentication-credential-http-perl

Package

Name: libcatalyst-authentication-credential-http-perl
Purl: pkg:deb/debian/libcatalyst-authentication-credential-http-perl?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.018-4

Affected versions

1.*

1.018-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}