Amazon::Credentials versions through 1.2.0 for Perl uses rand to generate encryption keys.
Amazon::Credentials stores credentials in an obfuscated form to prevent access to the secrets from a data dump of the object.
Before version 1.3.0, the secrets were encrypted using a 64-bit key that was generated using the built-in rand function, which is predictable and unsuitable for cryptography.
| Score | Percentile |
|---|---|
| 0.01% | 2.00% |
No CVSS scores in this advisory.
| Type | Value |
|---|---|
| GHSA | GHSA-mx57-4jmx-5cvf ↗ |
| CVE | CVE-2026-6146 ↗ |
| CWE id | Name |
|---|---|
| CWE-338 | Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) |