CVE-2024-56370

Net::Xero 0.044 and earlier for Perl uses the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions. Specifically Net::Xero uses the Data::Random library which specifically states that it is "Useful mostly for test programs". Data::Random uses the rand() function.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://metacpan.org/release/BAREFOOT/Data-Random-0.13/source/lib/Data/Random.pm#L537
https://metacpan.org/release/ELLIOTT/Net-Xero-0.44/source/lib/Net/Xero.pm#L58
https://metacpan.org/release/ELLIOTT/Net-Xero-0.44/source/lib/Net/Xero.pm#L9
https://perldoc.perl.org/functions/rand
https://security.metacpan.org/docs/guides/random-data-for-security.html

Configurations

No configuration.

History

14 Apr 2025, 18:15

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.5

07 Apr 2025, 14:17

Type	Values Removed	Values Added
Summary		(es) Net::Xero 0.044 y versiones anteriores para Perl utilizan la función rand() como fuente predeterminada de entropía, la cual no es criptográficamente segura para funciones criptográficas. En concreto, Net::Xero utiliza la librería Data::Random, que indica específicamente que es útil principalmente para programas de prueba. Data::Random utiliza la función rand().

05 Apr 2025, 19:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-04-05 19:15

Updated : 2025-04-14 18:15

NVD link : CVE-2024-56370

Mitre link : CVE-2024-56370

CVE.ORG link : CVE-2024-56370

JSON object : View

Products Affected

No product.

CWE

CWE-338

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

{"id": "CVE-2024-56370", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 3.9}]}, "published": "2025-04-05T19:15:38.857", "references": [{"url": "https://metacpan.org/release/BAREFOOT/Data-Random-0.13/source/lib/Data/Random.pm#L537", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}, {"url": "https://metacpan.org/release/ELLIOTT/Net-Xero-0.44/source/lib/Net/Xero.pm#L58", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}, {"url": "https://metacpan.org/release/ELLIOTT/Net-Xero-0.44/source/lib/Net/Xero.pm#L9", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}, {"url": "https://perldoc.perl.org/functions/rand", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}, {"url": "https://security.metacpan.org/docs/guides/random-data-for-security.html", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "description": [{"lang": "en", "value": "CWE-338"}]}], "descriptions": [{"lang": "en", "value": "Net::Xero 0.044 and earlier for Perl uses the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions.\n\nSpecifically Net::Xero uses the Data::Random library which specifically states that it is \"Useful mostly for test programs\". Data::Random uses the rand() function."}, {"lang": "es", "value": "Net::Xero 0.044 y versiones anteriores para Perl utilizan la funci\u00f3n rand() como fuente predeterminada de entrop\u00eda, la cual no es criptogr\u00e1ficamente segura para funciones criptogr\u00e1ficas. En concreto, Net::Xero utiliza la librer\u00eda Data::Random, que indica espec\u00edficamente que es \u00fatil principalmente para programas de prueba. Data::Random utiliza la funci\u00f3n rand()."}], "lastModified": "2025-04-14T18:15:28.220", "sourceIdentifier": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}