Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Amazon::Credentials versions through 1.2.0 for Perl uses rand to generate encryption keys.
Amazon::Credentials stores credentials in an obfuscated form to prevent access to the secrets from a data dump of the object.
Before version 1.3.0, the secrets were encrypted using a 64-bit key that was generated using the built-in rand function, which is predictable and unsuitable for cryptography.
AnalysisAI
Amazon::Credentials for Perl versions through 1.2.0 uses the predictable built-in rand() function to generate 64-bit encryption keys for credential obfuscation, allowing attackers to recover stored credentials through key prediction rather than cryptographic attack. Affects Perl applications that depend on this library to protect AWS credentials and similar secrets in memory or serialized objects. No authentication required; exploitation requires access to the encrypted credential object and knowledge of the rand() seed.
Technical ContextAI
Amazon::Credentials is a Perl library that obfuscates AWS credentials stored in objects to prevent exposure via memory dumps or object serialization. The vulnerability stems from use of Perl's built-in rand() function, which is a pseudo-random number generator (PRNG) designed for non-cryptographic purposes and is seeded predictably (often from system time). The library generates a 64-bit encryption key from this PRNG output. CWE-338 (Use of Cryptographically Weak Pseudo-Random Number Generator) identifies the root cause: cryptographic operations must use cryptographically secure random sources (e.g., /dev/urandom, Crypt::Random, or Math::Random::Secure). A 64-bit key is additionally weak by modern standards (should be ≥128 bits), compounding the issue. The CPE cpe:2.3:a:bigfoot:amazon::credentials indicates the affected component is the CPAN module maintained under the BIGFOOT namespace.
RemediationAI
Vendor-released patch: upgrade to Amazon::Credentials 1.3.0 or later, which generates encryption keys using a cryptographically secure random source instead of rand(). For applications unable to upgrade immediately, do not serialize Amazon::Credentials objects to disk, logs, or external storage; keep credential objects in-memory only and restrict access to trusted processes. Review git history and artifact repositories for any committed or cached serialized credential objects from versions 1.2.0 and earlier, and assume those credentials compromised if exposed. Consider rotating all AWS credentials that were managed by vulnerable versions. See https://metacpan.org/release/BIGFOOT/Amazon-Credentials-1.3.0/changes and https://nvd.nist.gov/vuln/detail/CVE-2026-6146 for upgrade and migration guidance. No workarounds short of code review and upgrade are acceptable for cryptographic key generation flaws.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29199
GHSA-mx57-4jmx-5cvf