CVE-2017-20240
MediumCVSS 5.9Summary
Crypt::PBKDF2 versions before 0.261630 for Perl are vulnerable to timing attacks. The use of Perl's built-in eq comparison may allow an attacker to guess the underlying derived key by analyzing timing discrepancies.
Risk Assessment
An attacker could exploit timing differences to guess the key, potentially compromising sensitive data. This poses a significant security risk for applications using this library.
Recommendation
It is recommended to upgrade to Crypt::PBKDF2 version 0.261630 or later to mitigate the risk of timing attacks.
Original NVD description (English source)
Crypt::PBKDF2 versions before 0.261630 for Perl are vulnerable to timing attacks. These versions use Perl's built-in eq comparison. Discrepancies in timing could be used to guess the underlying derived-key.

