[<prev] [next>] [day] [month] [year] [list]
Message-ID: <b99763a0-470f-4299-97f1-40e67a619548@cpansec.org>
Date: Tue, 31 Mar 2026 11:08:30 +0100
From: Robert Rothenberg <rrwo@...nsec.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2025-15618: Business::OnlinePayment::StoredTransaction versions
through 0.01 for Perl uses an insecure secret key
========================================================================
CVE-2025-15618 CPAN Security Group
========================================================================
CVE ID: CVE-2025-15618
Distribution: Business-OnlinePayment-StoredTransaction
Versions: through 0.01
MetaCPAN:
https://metacpan.org/dist/Business-OnlinePayment-StoredTransaction
Business::OnlinePayment::StoredTransaction versions through 0.01 for
Perl uses an insecure secret key
Description
-----------
Business::OnlinePayment::StoredTransaction versions through 0.01 for
Perl uses an insecure secret key.
Business::OnlinePayment::StoredTransaction generates a secret key by
using a MD5 hash of a single call to the built-in rand function, which
is unsuitable for cryptographic use.
This key is intended for encrypting credit card transaction data.
Problem types
-------------
- CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator
- CWE-693 Protection Mechanism Failure
Workarounds
-----------
Apply the patch that uses Crypt::URandom to generate a secret key.
References
----------
https://metacpan.org/dist/Business-OnlinePayment-StoredTransaction/source/lib/Business/OnlinePayment/StoredTransaction.pm#L64-75
https://security.metacpan.org/patches/B/Business-OnlinePayment-StoredTransaction/0.01/CVE-2025-15618-r1.patch
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
