======================================================================== CVE-2026-6146 CPAN Security Group ======================================================================== CVE ID: CVE-2026-6146 Distribution: Amazon-Credentials Versions: through 1.2.0 MetaCPAN: https://metacpan.org/dist/Amazon-Credentials VCS Repo: https://github.com/rlauer6/Amazon-Credentials Amazon::Credentials versions through 1.2.0 for Perl uses rand to generate encryption keys Description ----------- Amazon::Credentials versions through 1.2.0 for Perl uses rand to generate encryption keys. Amazon::Credentials stores credentials in an obfuscated form to prevent access to the secrets from a data dump of the object. Before version 1.3.0, the secrets were encrypted using a 64-bit key that was generated using the built-in rand function, which is predictable and unsuitable for cryptography. Problem types ------------- - CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) Solutions --------- Upgrade to version 1.3.0 or later. References ---------- https://metacpan.org/release/BIGFOOT/Amazon-Credentials-1.2.0/source/lib/Amazon/Credentials.pm#L1415-1418 https://metacpan.org/release/BIGFOOT/Amazon-Credentials-1.3.0/changes
