PatchSiren cyber security CVE debrief
CVE-2017-20240 ARODLAND CVE debrief
CVE-2017-20240 is a medium-severity vulnerability in Crypt::PBKDF2 versions before 0.261630 for Perl. The vulnerability allows timing attacks due to the use of Perl's built-in eq comparison, which can lead to discrepancies in timing that could be used to guess the underlying derived-key. The CVSS score for this vulnerability is 5.9, indicating a medium severity level.
- Vendor
- ARODLAND
- Product
- Crypt::PBKDF2
- CVSS
- MEDIUM 5.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Developers and administrators using Crypt::PBKDF2 versions before 0.261630 for Perl should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability is caused by the use of Perl's built-in eq comparison in Crypt::PBKDF2 versions before 0.261630. This allows an attacker to launch a timing attack, which can be used to guess the underlying derived-key.
Defensive priority
Medium
Recommended defensive actions
- Update Crypt::PBKDF2 to version 0.261630 or later.
- Use a secure comparison function, such as a constant-time comparison function.
Evidence notes
The vulnerability was reported by an unknown vendor and has a low confidence level.
Official resources
-
CVE-2017-20240 CVE record
CVE.org
-
CVE-2017-20240 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
9b29abf9-4ab0-4765-b253-1875cd9b441e
-
Source reference
9b29abf9-4ab0-4765-b253-1875cd9b441e
-
Source reference
9b29abf9-4ab0-4765-b253-1875cd9b441e
-
Source reference
af854a3a-2127-422b-91ae-364da2661108
CVE-2017-20240 was published on 2026-06-12T14:16:28.660Z and modified on 2026-06-12T17:16:22.133Z.