[<prev] [next>] [day] [month] [year] [list]
Message-ID: <d0effbe5-53cf-4a02-a7e2-5a90ff875cc9@cpansec.org>
Date: Thu, 21 May 2026 22:08:15 +0100
From: Robert Rothenberg <rrwo@...nsec.org>
To: cve-announce@...urity.metacpan.org, oss-security@...ts.openwall.com
Subject: CVE-2026-5091: Catalyst::Plugin::Authentication versions through
0.10024 for Perl is susceptible to timing attacks
========================================================================
CVE-2026-5091 CPAN Security Group
========================================================================
CVE ID: CVE-2026-5091
Distribution: Catalyst-Plugin-Authentication
Versions: through 0.10024
MetaCPAN: https://metacpan.org/dist/Catalyst-Plugin-Authentication
VCS Repo:
https://github.com/perl-catalyst/Catalyst-Plugin-Authentication
Catalyst::Plugin::Authentication versions through 0.10024 for Perl is
susceptible to timing attacks
Description
-----------
Catalyst::Plugin::Authentication versions through 0.10024 for Perl is
susceptible to timing attacks.
These versions use Perl's built-in eq comparison. Discrepencies in
timing could be used to guess the underlying hash or password.
Problem types
-------------
- CWE-208 Observable Timing Discrepancy
Solutions
---------
Upgrade to version 0.10026 or later.
References
----------
https://metacpan.org/release/ETHER/Catalyst-Plugin-Authentication-0.10_025/changes
https://github.com/perl-catalyst/Catalyst-Plugin-Authentication/commit/b0515f492257438cf07082acf1e10d06e8088a5e.patch
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
