GHSA-m538-6wp4-7h22MediumCVSS 5.9
Crypt::PBKDF2 versions before 0.261630 for Perl are vulnerable to timing attacks. These versions...
🔗 CVE IDs covered (1)
📋 Description
Crypt::PBKDF2 versions before 0.261630 for Perl are vulnerable to timing attacks.
These versions use Perl's built-in eq comparison. Discrepancies in timing could be used to guess the underlying derived-key.
🔗 References (6)
- https://nvd.nist.gov/vuln/detail/CVE-2017-20240
- https://github.com/arodland/Crypt-PBKDF2/pull/6
- https://metacpan.org/release/ARODLAND/Crypt-PBKDF2-0.161520/source/lib/Crypt/PBKDF2.pm#L123-148
- https://metacpan.org/release/ARODLAND/Crypt-PBKDF2-0.261630/changes
- http://www.openwall.com/lists/oss-security/2026/06/12/3
- https://github.com/advisories/GHSA-m538-6wp4-7h22