Skip to content

[GHSA-r2q3-hjc8-7x6q] Crypt::DSA versions before 1.20 for Perl generate seeds... #7715

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Vendetaaaa wants to merge 1 commit into
base: Vendetaaaa/advisory-improvement-7715
Choose a base branch
from
+34 −5
Open

[GHSA-r2q3-hjc8-7x6q] Crypt::DSA versions before 1.20 for Perl generate seeds... #7715

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 34 additions & 5 deletions advisories/unreviewed/2026/05/GHSA-r2q3-hjc8-7x6q/GHSA-r2q3-hjc8-7x6q.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,14 +1,43 @@
{
"schema_version": "1.4.0",
"id": "GHSA-r2q3-hjc8-7x6q",
"modified": "2026-05-16T03:31:27Z",
"modified": "2026-05-16T03:32:33Z",
"published": "2026-05-16T00:31:11Z",
"aliases": [
"CVE-2026-8700"
],
"details": "Crypt::DSA versions before 1.20 for Perl generate seeds using rand.\n\nSeeds were generated using Perl's built-in rand function, which is predictable and unsuitable for security usage.",
"severity": [],
"affected": [],
"summary": "Crypt::DSA Uses Predictable Random Number Generator for Seed Generation",
"details": "### Summary\nVersions of the `Crypt::DSA` module for Perl prior to 1.20 generate cryptographic seeds using Perl's built-in `rand()` function. The `rand()` function is a pseudo-random number generator (PRNG) that is deterministic, predictable, and not designed or intended for use in cryptographic contexts.\n\n### Impact\nAn attacker can exploit the predictability of the `rand()` seed generation logic to reproduce or guess the keys generated by the `Crypt::DSA::KeyChain` engine. This significantly decreases the entropy of the resulting Digital Signature Algorithm (DSA) private keys, allowing a remote or local adversary to potentially recover private signing keys, forge signatures, or decrypt intercepted traffic that relies on these keys.\n\n### Remediation\nUpgrade the `Crypt::DSA` Perl module to version **1.20** or later. Version 1.20 replaces the usage of `rand()` with a cryptographically secure random number generator (CSPRNG) interface during internal seed setup.",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"
}
],
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "Crypt::DSA"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
},
{
"fixed": "= 1.20"
}
]
}
],
"database_specific": {
"last_known_affected_version_range": "< 1.20"
}
}
],
"references": [
{
"type": "ADVISORY",
Expand All @@ -31,7 +60,7 @@
"cwe_ids": [
"CWE-331"
],
"severity": null,
"severity": "CRITICAL",
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-15T22:16:57Z"
Expand Down