FKIE_CVE-2026-2439

Vulnerability from fkie_nvd - Published: 2026-02-16 22:22 - Updated: 2026-02-18 17:52
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Concierge::Sessions versions from 0.8.1 before 0.8.5 for Perl generate insecure session ids. The generate_session_id function in Concierge::Sessions::Base defaults to using the uuidgen command to generate a UUID, with a fallback to using Perl's built-in rand function. Neither of these methods are secure, and attackers are able to guess session_ids that can grant them access to systems. Specifically, * There is no warning when uuidgen fails. The software can be quietly using the fallback rand() function with no warnings if the command fails for any reason. * The uuidgen command will generate a time-based UUID if the system does not have a high-quality random number source, because the call does not explicitly specify the --random option. Note that the system time is shared in HTTP responses. * UUIDs are identifiers whose mere possession grants access, as per RFC 9562. * The output of the built-in rand() function is predictable and unsuitable for security applications.
References
9b29abf9-4ab0-4765-b253-1875cd9b441ehttps://github.com/bwva/Concierge-Sessions/commit/20bb28e92e8fba307c4ff8264701c215be65e73b
9b29abf9-4ab0-4765-b253-1875cd9b441ehttps://metacpan.org/release/BVA/Concierge-Sessions-v0.8.4/diff/BVA/Concierge-Sessions-v0.8.5#lib/Concierge/Sessions/Base.pm
9b29abf9-4ab0-4765-b253-1875cd9b441ehttps://perldoc.perl.org/5.42.0/functions/rand
9b29abf9-4ab0-4765-b253-1875cd9b441ehttps://security.metacpan.org/docs/guides/random-data-for-security.html
9b29abf9-4ab0-4765-b253-1875cd9b441ehttps://www.rfc-editor.org/rfc/rfc9562.html#name-security-considerations
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Concierge::Sessions versions from 0.8.1 before 0.8.5 for Perl generate insecure session ids. The generate_session_id function in Concierge::Sessions::Base defaults to using the uuidgen command to generate a UUID, with a fallback to using Perl\u0027s built-in rand function. Neither of these methods are secure, and attackers are able to guess session_ids that can grant them access to systems. Specifically,\n\n  *  There is no warning when uuidgen fails. The software can be quietly using the fallback rand() function with no warnings if the command fails for any reason.\n  *  The uuidgen command will generate a time-based UUID if the system does not have a high-quality random number source, because the call does not explicitly specify the --random option. Note that the system time is shared in HTTP responses.\n  *  UUIDs are identifiers whose mere possession grants access, as per RFC 9562.\n  *  The output of the built-in rand() function is predictable and unsuitable for security applications."
    },
    {
      "lang": "es",
      "value": "Las versiones de Concierge::Sessions desde la 0.8.1 anteriores a la 0.8.5 para Perl generan identificadores de sesi\u00f3n inseguros. La funci\u00f3n generate_session_id en Concierge::Sessions::Base por defecto utiliza el comando uuidgen para generar un UUID, con un mecanismo de respaldo que usa la funci\u00f3n rand incorporada de Perl. Ninguno de estos m\u00e9todos es seguro, y los atacantes pueden adivinar los identificadores de sesi\u00f3n que pueden otorgarles acceso a los sistemas. Espec\u00edficamente,\n\n  * No hay ninguna advertencia cuando uuidgen falla. El software puede estar utilizando silenciosamente la funci\u00f3n de respaldo rand() sin advertencias si el comando falla por cualquier motivo.\n  * El comando uuidgen generar\u00e1 un UUID basado en el tiempo si el sistema no tiene una fuente de n\u00fameros aleatorios de alta calidad, porque la llamada no especifica expl\u00edcitamente la opci\u00f3n --random. Tenga en cuenta que la hora del sistema se comparte en las respuestas HTTP.\n  * Los UUID son identificadores cuya mera posesi\u00f3n otorga acceso, seg\u00fan la RFC 9562.\n  * La salida de la funci\u00f3n rand() incorporada es predecible e inadecuada para aplicaciones de seguridad."
    }
  ],
  "id": "CVE-2026-2439",
  "lastModified": "2026-02-18T17:52:22.253",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-02-16T22:22:41.470",
  "references": [
    {
      "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
      "url": "https://github.com/bwva/Concierge-Sessions/commit/20bb28e92e8fba307c4ff8264701c215be65e73b"
    },
    {
      "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
      "url": "https://metacpan.org/release/BVA/Concierge-Sessions-v0.8.4/diff/BVA/Concierge-Sessions-v0.8.5#lib/Concierge/Sessions/Base.pm"
    },
    {
      "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
      "url": "https://perldoc.perl.org/5.42.0/functions/rand"
    },
    {
      "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
      "url": "https://security.metacpan.org/docs/guides/random-data-for-security.html"
    },
    {
      "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
      "url": "https://www.rfc-editor.org/rfc/rfc9562.html#name-security-considerations"
    }
  ],
  "sourceIdentifier": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-338"
        },
        {
          "lang": "en",
          "value": "CWE-340"
        }
      ],
      "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.