CVE Catalog

CVE-2017-20240

MediumCVSS 5.9
Published: Updated: Translated: NVD NIST

Summary

Crypt::PBKDF2 versions before 0.261630 for Perl are vulnerable to timing attacks. The use of Perl's built-in eq comparison may allow an attacker to guess the underlying derived key by analyzing timing discrepancies.

Risk Assessment

An attacker could exploit timing differences to guess the key, potentially compromising sensitive data. This poses a significant security risk for applications using this library.

Recommendation

It is recommended to upgrade to Crypt::PBKDF2 version 0.261630 or later to mitigate the risk of timing attacks.

Original NVD description (English source)

Crypt::PBKDF2 versions before 0.261630 for Perl are vulnerable to timing attacks. These versions use Perl's built-in eq comparison. Discrepancies in timing could be used to guess the underlying derived-key.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS