ByteOS Network

Vulnerability Details :

CVE-2024-57868

Assigner Org ID-9b29abf9-4ab0-4765-b253-1875cd9b441e

Published At-05 Apr, 2025 | 15:35

Updated At-07 Apr, 2025 | 18:29

Web::API 2.8 and earlier for Perl uses insecure rand() function for cryptographic functions

Web::API 2.8 and earlier for Perl uses the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions. Specifically Web::API uses the Data::Random library which specifically states that it is "Useful mostly for test programs". Data::Random uses the rand() function.

EPSS History

Score

Latest Score

N/A

Percentile

Latest Percentile

N/A

▼Common Vulnerabilities and Exposures (CVE)

cve.org

Assigner:CPANSec

Assigner Org ID:9b29abf9-4ab0-4765-b253-1875cd9b441e

Published At:05 Apr, 2025 | 15:35

Updated At:07 Apr, 2025 | 18:29

▼CVE Numbering Authority (CNA)

Web::API 2.8 and earlier for Perl uses insecure rand() function for cryptographic functions

Affected Products

Vendor

LEV

Product

Web::API

Collection URL

https://cpan.org/modules

Package Name

Web-API

Program Files

lib/Web/API.pm

Default Status

unaffected

Versions

Affected

From 0 through 2.8 (custom)

Problem Types

Type	CWE ID	Description
CWE	CWE-338	CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

Type: CWE

CWE ID: CWE-338

Description: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

Credits

finder

Robert Rothenberg (RRWO)

References

Hyperlink	Resource
https://perldoc.perl.org/functions/rand	N/A
https://security.metacpan.org/docs/guides/random-data-for-security.html	N/A
https://metacpan.org/release/BAREFOOT/Data-Random-0.13/source/lib/Data/Random.pm#L537	N/A
https://metacpan.org/dist/Web-API/source/lib/Web/API.pm#L20	N/A
https://metacpan.org/dist/Web-API/source/lib/Web/API.pm#L348	N/A

Hyperlink: https://perldoc.perl.org/functions/rand

Resource: N/A

Hyperlink: https://security.metacpan.org/docs/guides/random-data-for-security.html

Resource: N/A

Hyperlink: https://metacpan.org/release/BAREFOOT/Data-Random-0.13/source/lib/Data/Random.pm#L537

Resource: N/A

Hyperlink: https://metacpan.org/dist/Web-API/source/lib/Web/API.pm#L20

Resource: N/A

Hyperlink: https://metacpan.org/dist/Web-API/source/lib/Web/API.pm#L348

Resource: N/A

▼Authorized Data Publishers (ADP)

CISA ADP Vulnrichment

Metrics

Version	Base score	Base severity	Vector
3.1	5.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

Version: 3.1

Base score: 5.5

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

Metrics Other Info

▼National Vulnerability Database (NVD)

nvd.nist.gov

Source:9b29abf9-4ab0-4765-b253-1875cd9b441e

Published At:05 Apr, 2025 | 16:15

Updated At:07 Apr, 2025 | 19:15

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	3.1	5.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

Type: Secondary

Version: 3.1

Base score: 5.5

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

Weaknesses

CWE ID	Type	Source
CWE-338	Secondary	9b29abf9-4ab0-4765-b253-1875cd9b441e

CWE ID: CWE-338

Type: Secondary

Source: 9b29abf9-4ab0-4765-b253-1875cd9b441e

References

Hyperlink	Source	Resource
https://metacpan.org/dist/Web-API/source/lib/Web/API.pm#L20	9b29abf9-4ab0-4765-b253-1875cd9b441e	N/A
https://metacpan.org/dist/Web-API/source/lib/Web/API.pm#L348	9b29abf9-4ab0-4765-b253-1875cd9b441e	N/A
https://metacpan.org/release/BAREFOOT/Data-Random-0.13/source/lib/Data/Random.pm#L537	9b29abf9-4ab0-4765-b253-1875cd9b441e	N/A
https://perldoc.perl.org/functions/rand	9b29abf9-4ab0-4765-b253-1875cd9b441e	N/A
https://security.metacpan.org/docs/guides/random-data-for-security.html	9b29abf9-4ab0-4765-b253-1875cd9b441e	N/A

Hyperlink: https://metacpan.org/dist/Web-API/source/lib/Web/API.pm#L20

Source: 9b29abf9-4ab0-4765-b253-1875cd9b441e

Resource: N/A

Hyperlink: https://metacpan.org/dist/Web-API/source/lib/Web/API.pm#L348

Source: 9b29abf9-4ab0-4765-b253-1875cd9b441e

Resource: N/A

Hyperlink: https://metacpan.org/release/BAREFOOT/Data-Random-0.13/source/lib/Data/Random.pm#L537

Source: 9b29abf9-4ab0-4765-b253-1875cd9b441e

Resource: N/A

Hyperlink: https://perldoc.perl.org/functions/rand

Source: 9b29abf9-4ab0-4765-b253-1875cd9b441e

Resource: N/A

Hyperlink: https://security.metacpan.org/docs/guides/random-data-for-security.html

Source: 9b29abf9-4ab0-4765-b253-1875cd9b441e

Resource: N/A

Similar CVEs

3Records found

CVE-2024-57835

Matching Score-4

Assigner-9b29abf9-4ab0-4765-b253-1875cd9b441e

View Details

Matching Score-4

Assigner-9b29abf9-4ab0-4765-b253-1875cd9b441e

CVSS Score-5.5||MEDIUM

EPSS-0.09% / 25.62%

7 Day CHG~0.00%

Published-05 Apr, 2025 | 16:11

Updated-07 Apr, 2025 | 19:15

Amon2::Auth::Site::LINE versions through 0.04 for Perl uses insecure rand() function for cryptographic functions

Amon2::Auth::Site::LINE uses the String::Random module to generate nonce values. String::Random defaults to Perl's built-in predictable random number generator, the rand() function, which is not cryptographically secure

Vendor-TANIGUCHI

Product-Amon2::Auth::Site::LINE

CWE ID-CWE-338

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

CVE-2024-58036

Matching Score-4

Assigner-9b29abf9-4ab0-4765-b253-1875cd9b441e

View Details

Matching Score-4

Assigner-9b29abf9-4ab0-4765-b253-1875cd9b441e

CVSS Score-5.5||MEDIUM

EPSS-0.09% / 26.81%

7 Day CHG~0.00%

Published-05 Apr, 2025 | 16:06

Updated-10 Apr, 2025 | 16:27

Net::Dropbox::API 1.9 and earlier for Perl uses insecure rand() function for cryptographic functions

Net::Dropbox::API 1.9 and earlier for Perl uses the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions. Specifically Net::Dropbox::API uses the Data::Random library which specifically states that it is "Useful mostly for test programs". Data::Random uses the rand() function.

Vendor-norbu09 NORBU

Product-net\Net::Dropbox::API

CWE ID-CWE-338

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

CVE-2024-52322

Matching Score-4

Assigner-9b29abf9-4ab0-4765-b253-1875cd9b441e

View Details

Matching Score-4

Assigner-9b29abf9-4ab0-4765-b253-1875cd9b441e

CVSS Score-5.5||MEDIUM

EPSS-0.10% / 28.66%

7 Day CHG~0.00%

Published-05 Apr, 2025 | 16:19

Updated-10 Apr, 2025 | 16:13

WebService::Xero 0.11 for Perl uses insecure rand() function for cryptographic functions

WebService::Xero 0.11 and earlier for Perl uses the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions. Specifically WebService::Xero uses the Data::Random library which specifically states that it is "Useful mostly for test programs". Data::Random uses the rand() function.

Vendor-localshop LOCALSHOP

Product-webservice\WebService::Xero

CWE ID-CWE-338

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

CVE-2024-57868

Credits

Web::API 2.8 and earlier for Perl uses insecure rand() function for cryptographic functions

Vendors

Products

Metrics (CVSS)

Weaknesses

Attack Patterns

Solution/Workaround

References

EPSS History

Score

Latest Score

N/A

Percentile

Latest Percentile

N/A

Stakeholder-Specific Vulnerability Categorization (SSVC)

Affected Products

Affected

Problem Types

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

Affected Products

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History

Similar CVEs