CPANSA-Amon2-Plugin-Web-CSRFDefender-2026-5082: Amon2-Plugin-Web-CSRFDefender vulnerability
| Publisher | giterlizzi | Document category | csaf_security_advisory |
|---|---|---|---|
| Initial release date | 2026-04-08T00:00:00 | Engine | CSAF Perl Toolkit 0.26 |
| Current release date | 2026-04-08T00:00:00 | Build Date | |
| Current version | 1 | Status | final |
| CVSS v3.1 Base Score | 5.3 | Severity | |
| Original language | Language | en | |
| Also referred to | |||
Vulnerability Description
Amon2::Plugin::Web::CSRFDefender versions from 7.00 through 7.03 for Perl generate an insecure session id. The generate_session_id function will attempt to read bytes from the /dev/urandom device, but if that is unavailable then it generates bytes using SHA-1 hash seeded with the built-in rand() function, the PID, and the high resolution epoch time. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Amon2::Plugin::Web::CSRFDefender versions before 7.00 were part of Amon2, which was vulnerable to insecure session ids due to CVE-2025-15604. Note that the author has deprecated this module.
Vulnerabilities
CVE-2026-5082
Vulnerability DescriptionAmon2::Plugin::Web::CSRFDefender versions from 7.00 through 7.03 for Perl generate an insecure session id.
The generate_session_id function will attempt to read bytes from the /dev/urandom device, but if that is unavailable then it generates bytes using SHA-1 hash seeded with the built-in rand() function, the PID, and the high resolution epoch time. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.
Amon2::Plugin::Web::CSRFDefender versions before 7.00 were part of Amon2, which was vulnerable to insecure session ids due to CVE-2025-15604.
Note that the author has deprecated this module.
| Weakness | CWE-338 : Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) |
|---|
Product status
Known affected
| Product | Score | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Amon2-Plugin-Web-CSRFDefender greater than or equal 7.00 and less than or equal 7.03 |
|
Fixed
- Amon2-Plugin-Web-CSRFDefender greater than or equal 7.04
giterlizzi
Namespace: https://github.com/giterlizzi/
gdt@cpan.org
References
- CPANSA-Amon2-Plugin-Web-CSRFDefender-2026-5082 JSON self
https://raw.githubusercontent.com/giterlizzi/perl-CPANSA-CSAF/develop/csaf/white/2026/cpansa-amon2-plugin-web-csrfdefender-2026-5082.json - https://metacpan.org/release/TOKUHIROM/Amon2-Plugin-Web-CSRFDefender-7.03/source/lib/Amon2/Plugin/Web/CSRFDefender/Random.pm external
https://metacpan.org/release/TOKUHIROM/Amon2-Plugin-Web-CSRFDefender-7.03/source/lib/Amon2/Plugin/Web/CSRFDefender/Random.pm - https://metacpan.org/release/TOKUHIROM/Amon2-Plugin-Web-CSRFDefender-7.04/changes external
https://metacpan.org/release/TOKUHIROM/Amon2-Plugin-Web-CSRFDefender-7.04/changes - https://www.cve.org/CVERecord?id=CVE-2025-15604 external
https://www.cve.org/CVERecord?id=CVE-2025-15604 - CVE-2026-5082 (NVD) external
https://nvd.nist.gov/vuln/detail/CVE-2026-5082
Revision history
| Version | Date of the revision | Summary of the revision |
|---|---|---|
| 1 | Wed Apr 8 00:00:00 2026 | First release |
Sharing rules
TLP:WHITE
For the TLP version see: https://www.first.org/tlp/