CVE-2017-20240

Summary

Crypt::PBKDF2 versions before 0.261630 for Perl are vulnerable to timing attacks.

These versions use Perl's built-in eq comparison. Discrepancies in timing could be used to guess the underlying derived-key.

Affected Software

VendorProductVersion RangeStatus
ARODLANDCrypt::PBKDF20 < 0.261630affected

Weaknesses

  • CWE-208: CWE-208 Observable Timing Discrepancy

Workarounds

Apply the patch from the referenced pull request.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References