CVE-2026-6146: Amazon::Credentials versions through 1.2.0 for Perl uses rand to generate encryption keys

CVE-2026-6146: Amazon::Credentials versions through 1.2.0 for Perl uses rand to generate encryption keys Robert Rothenberg 11 May 2026 19:14 UTC

========================================================================
CVE-2026-6146                                        CPAN Security Group
========================================================================

         CVE ID:  CVE-2026-6146
   Distribution:  Amazon-Credentials
       Versions:  through 1.2.0

       MetaCPAN:  https://metacpan.org/dist/Amazon-Credentials
       VCS Repo:  https://github.com/rlauer6/Amazon-Credentials

Amazon::Credentials versions through 1.2.0 for Perl uses rand to
generate encryption keys

Description
-----------
Amazon::Credentials versions through 1.2.0 for Perl uses rand to
generate encryption keys.

Amazon::Credentials stores credentials in an obfuscated form to prevent
access to the secrets from a data dump of the object.

Before version 1.3.0, the secrets were encrypted using a 64-bit key
that was generated using the built-in rand function, which is
predictable and unsuitable for cryptography.

Problem types
-------------
- CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator
   (PRNG)

Solutions
---------
Upgrade to version 1.3.0 or later.

References
----------
https://metacpan.org/release/BIGFOOT/Amazon-Credentials-1.2.0/source/lib/Amazon/Credentials.pm#L1415-1418
https://metacpan.org/release/BIGFOOT/Amazon-Credentials-1.3.0/changes