Critical Vulnerability Information Vulnerability Description CVE ID: CVE-2023-40920 Affected Module: Catalyst::Authentication::Credential::HTTP Affected Versions: From 0.86 to 1.018 Issue Types: - CWE-340: Generation of Predictable Numbers or Identifiers - CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator Vulnerability Details Data::UUID Issue: - Does not use a strong cryptographic source to generate UUIDs. - Returns v3 UUIDs, which are generated based on known information and are not suitable for security-sensitive contexts (as per RFC 9562). Recommended Practice: - Non-constants should be generated from a strong cryptographic source, in compliance with RFC 7516 requirements. Reference Links GitHub Commit GitHub Pull Request CPAN Release IETF RFC 9562 IETF RFC 7516 Section 5.2.2