Catalyst::Authentication::Credential::HTTP versions 1.018 and earlier for Perl generate nonces using the Perl Data::UUID library. * Data::UUID does not use a strong cryptographic source for generating UUIDs. * Data::UUID returns v3 UUIDs, which are generated from known information and are unsuitable for security, as per RFC 9562. * The nonces should be generated from a strong cryptographic source, as per RFC 7616.

The remote Fedora 43 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2025-6df5ab0b98 advisory.

    This update upgrade the package to version 1.019. This version fixes CVE-2025-40920 by using     Crypt::SysRandom to generate nonces instead of Data::UUID.

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 42 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2025-d72429a1f8 advisory.

    This update upgrade the package to version 1.019. This version fixes CVE-2025-40920 by using     Crypt::SysRandom to generate nonces instead of Data::UUID.

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - Catalyst::Authentication::Credential::HTTP versions 1.018 and earlier for Perl generate nonces using the     Perl Data::UUID library. * Data::UUID does not use a strong cryptographic source for generating UUIDs. *     Data::UUID returns v3 UUIDs, which are generated from known information and are unsuitable for security,     as per RFC 9562. * The nonces should be generated from a strong cryptographic source, as per RFC 7616.
    (CVE-2025-40920)

Note that Nessus relies on the presence of the package as reported by the vendor.

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the c323bab5-80dd-11f0-97c4-40b034429ecf advisory.

    perl-catalyst project reports:
    Catalyst::Authentication::Credential::HTTP versions 1.018               and earlier for Perl generate nonces using               the Perl Data::UUID library. * Data::UUID does not use a               strong cryptographic source for generating               UUIDs.* Data::UUID returns v3 UUIDs, which are generated               from known information and are unsuitable for               security, as per RFC 9562. * The nonces should be generated               from a strong cryptographic source, as per RFC 7616.

Tenable has extracted the preceding description block directly from the FreeBSD security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
265712	Fedora 43 : perl-Catalyst-Authentication-Credential-HTTP (2025-6df5ab0b98)	Nessus	Fedora Local Security Checks	high
264875	Fedora 42 : perl-Catalyst-Authentication-Credential-HTTP (2025-d72429a1f8)	Nessus	Fedora Local Security Checks	high
259921	Linux Distros Unpatched Vulnerability : CVE-2025-40920	Nessus	Misc.	high
253986	FreeBSD : p5-Catalyst-Authentication-Credential-HTTP -- Insecure source of randomness (c323bab5-80dd-11f0-97c4-40b034429ecf)	Nessus	FreeBSD Local Security Checks	high

Detections

Analytics

CVE-2025-40920

high

Tenable Plugins

high

high

high

high