CVE-2026-6146: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in BIGFOOT Amazon::Credentials
Amazon::Credentials versions through 1.2.0 for Perl uses rand to generate encryption keys. Amazon::Credentials stores credentials in an obfuscated form to prevent access to the secrets from a data dump of the object. Before version 1.3.0, the secrets were encrypted using a 64-bit key that was generated using the built-in rand function, which is predictable and unsuitable for cryptography.
AI Analysis
Technical Summary
Amazon::Credentials versions up to 1.2.0 use the Perl built-in rand function to generate 64-bit encryption keys for obfuscating stored credentials. Since rand is a predictable and cryptographically weak PRNG, the encryption keys can be potentially guessed, undermining the confidentiality of the stored secrets. This vulnerability is classified under CWE-338 (Use of Cryptographically Weak PRNG). No CVSS score is assigned, and no official patch or remediation level is indicated in the available data.
Potential Impact
The use of a predictable PRNG for key generation compromises the encryption of stored credentials, potentially allowing attackers to recover sensitive secrets from data dumps of the object. This weakens the confidentiality guarantees of the Amazon::Credentials module prior to version 1.3.0. There are no known exploits in the wild reported at this time.
Mitigation Recommendations
Upgrade to Amazon::Credentials version 1.3.0 or later, where the use of the built-in rand function for key generation has been replaced with a more secure method. Since no official patch or advisory is provided, users should verify the version in use and update accordingly to mitigate this vulnerability. Patch status is not yet confirmed by a vendor advisory; check for official updates.
CVE-2026-6146: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in BIGFOOT Amazon::Credentials
Description
Amazon::Credentials versions through 1.2.0 for Perl uses rand to generate encryption keys. Amazon::Credentials stores credentials in an obfuscated form to prevent access to the secrets from a data dump of the object. Before version 1.3.0, the secrets were encrypted using a 64-bit key that was generated using the built-in rand function, which is predictable and unsuitable for cryptography.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Amazon::Credentials versions up to 1.2.0 use the Perl built-in rand function to generate 64-bit encryption keys for obfuscating stored credentials. Since rand is a predictable and cryptographically weak PRNG, the encryption keys can be potentially guessed, undermining the confidentiality of the stored secrets. This vulnerability is classified under CWE-338 (Use of Cryptographically Weak PRNG). No CVSS score is assigned, and no official patch or remediation level is indicated in the available data.
Potential Impact
The use of a predictable PRNG for key generation compromises the encryption of stored credentials, potentially allowing attackers to recover sensitive secrets from data dumps of the object. This weakens the confidentiality guarantees of the Amazon::Credentials module prior to version 1.3.0. There are no known exploits in the wild reported at this time.
Mitigation Recommendations
Upgrade to Amazon::Credentials version 1.3.0 or later, where the use of the built-in rand function for key generation has been replaced with a more secure method. Since no official patch or advisory is provided, users should verify the version in use and update accordingly to mitigate this vulnerability. Patch status is not yet confirmed by a vendor advisory; check for official updates.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- CPANSec
- Date Reserved
- 2026-04-12T17:24:50.568Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a022c38cbff5d86104f7ce4
Added to database: 5/11/2026, 7:21:28 PM
Last enriched: 5/11/2026, 7:37:51 PM
Last updated: 5/12/2026, 3:53:05 AM
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.