CVE-2017-20240
5.9 MEDIUMCrypt::PBKDF2 versions before 0.261630 for Perl are vulnerable to timing attacks
Published: 2026-06-12 · Last updated: 2026-06-12
Severity and scoring
- CVSS
- 5.9 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
- CWE
- CWE-208
Description
Crypt::PBKDF2 versions before 0.261630 for Perl are vulnerable to timing attacks. These versions use Perl's built-in eq comparison. Discrepancies in timing could be used to guess the underlying derived-key.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2017-20240
- [Other]https://github.com/arodland/Crypt-PBKDF2/pull/6
- [Other]https://metacpan.org/release/ARODLAND/Crypt-PBKDF2-0.161520/source/lib/Crypt/PBKDF2.pm#L123-148
- [Other]https://metacpan.org/release/ARODLAND/Crypt-PBKDF2-0.261630/changes
- [Other]http://www.openwall.com/lists/oss-security/2026/06/12/3
Related CVEs
Same CWE
- CVE-2026-54411 — Linux-PAM through 1.7.2 contains an observable timing discrepancy (CWE-208) in the pam_userdb module's plaintext-password comparison path... (5.9 MEDIUM)
- CVE-2026-48011 — Shopware is an open commerce platform (3.7 LOW)
- CVE-2026-48859 — Observable Timing Discrepancy vulnerability in Erlang/OTP ssh (ssh_auth, ssh_options modules) allows unauthenticated remote username enum... (5.3 MEDIUM)
- CVE-2026-5419 — A flaw was found in gnutls (3.7 LOW)
- CVE-2026-45410 — TREK is a collaborative travel planner (5.3 MEDIUM)