Common Weakness Enumeration
CWE-338
AllowedUse of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Abstraction: Base · Status: Draft
The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.
293 vulnerabilities reference this CWE, most recent first.
CVE-2024-58135 (GCVE-0-2024-58135)
Vulnerability from cvelistv5 – Published: 2025-05-03 10:16 – Updated: 2026-06-05 12:37
VLAI
EPSS
VEX
Title
Mojolicious versions from 7.28 through 9.45 for Perl will generate weak HMAC session cookie secrets via "mojo generate app" by default
Summary
Mojolicious versions from 7.28 through 9.45 for Perl will generate weak HMAC session cookie secrets via "mojo generate app" by default.
When creating a default app skeleton with the "mojo generate app" tool, a weak secret is written to the application's configuration file using the insecure rand() function, and used for authenticating and protecting the integrity of the application's sessions. This may allow an attacker to brute force the application's session keys.
Release 9.46 fixes the issue by providing high quality randomness, even in absence of CryptX.
Users should be aware that the update does not replace previously generated weak secrets. A secret generated with the previous version MUST be replaced to ensure the updated version is using a strong secret.
Severity
5.3 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Assigner
References
13 references
| URL | Tags |
|---|---|
| https://perldoc.perl.org/functions/rand | related |
| https://metacpan.org/release/SRI/Mojolicious-9.39… | related |
| https://metacpan.org/release/SRI/Mojolicious-9.38… | related |
| https://github.com/mojolicious/mojo/pull/2200 | issue-tracking |
| https://metacpan.org/release/SRI/Mojolicious-7.28… | related |
| https://security.metacpan.org/docs/guides/random-… | technical-description |
| https://github.com/hashcat/hashcat/pull/4090 | exploit |
| https://lists.debian.org/debian-perl/2025/05/msg0… | mailing-list |
| https://lists.debian.org/debian-perl/2025/05/msg0… | mailing-list |
| https://lists.debian.org/debian-perl/2025/05/msg0… | mailing-list |
| https://metacpan.org/release/SRI/Mojolicious-9.46… | release-notes |
| https://github.com/mojolicious/mojo/commit/fb3733… | patch |
| https://github.com/mojolicious/mojo/commit/789cfa… | patch |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| SRI | Mojolicious |
Affected:
7.28 , ≤ 9.45
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-58135",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-05T17:58:51.652027Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-338",
"description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-07T19:06:35.967Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Mojolicious",
"product": "Mojolicious",
"programFiles": [
"lib/Mojolicious/Command/Author/generate/app.pm",
"lib/Mojo/Util.pm",
"lib/Mojolicious/Command/generate/app.pm"
],
"programRoutines": [
{
"name": "Mojolicious::Command::Author::generate::app::run()"
},
{
"name": "Mojo::Util::generate_secret()"
}
],
"repo": "https://github.com/mojolicious/mojo",
"vendor": "SRI",
"versions": [
{
"lessThanOrEqual": "9.45",
"status": "affected",
"version": "7.28",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mojolicious versions from 7.28 through 9.45 for Perl will generate weak HMAC session cookie secrets via \"mojo generate app\" by default.\n\nWhen creating a default app skeleton with the \"mojo generate app\" tool, a weak secret is written to the application\u0027s configuration file using the insecure rand() function, and used for authenticating and protecting the integrity of the application\u0027s sessions. This may allow an attacker to brute force the application\u0027s session keys.\n\nRelease 9.46 fixes the issue by providing high quality randomness, even in absence of CryptX.\n\nUsers should be aware that the update does not replace previously generated weak secrets. A secret generated with the previous version MUST be replaced to ensure the updated version is using a strong secret."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-338",
"description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T12:37:53.344Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"related"
],
"url": "https://perldoc.perl.org/functions/rand"
},
{
"tags": [
"related"
],
"url": "https://metacpan.org/release/SRI/Mojolicious-9.39/source/lib/Mojo/Util.pm#L181"
},
{
"tags": [
"related"
],
"url": "https://metacpan.org/release/SRI/Mojolicious-9.38/source/lib/Mojolicious/Command/Author/generate/app.pm#L202"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/mojolicious/mojo/pull/2200"
},
{
"tags": [
"related"
],
"url": "https://metacpan.org/release/SRI/Mojolicious-7.28/source/lib/Mojolicious/Command/generate/app.pm#L220"
},
{
"tags": [
"technical-description"
],
"url": "https://security.metacpan.org/docs/guides/random-data-for-security.html"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/hashcat/hashcat/pull/4090"
},
{
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-perl/2025/05/msg00016.html"
},
{
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-perl/2025/05/msg00017.html"
},
{
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-perl/2025/05/msg00018.html"
},
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/SRI/Mojolicious-9.46/source/Changes"
},
{
"tags": [
"patch"
],
"url": "https://github.com/mojolicious/mojo/commit/fb3733f92cc8a3344e6d615b3c7dac9d538eeab0.patch"
},
{
"tags": [
"patch"
],
"url": "https://github.com/mojolicious/mojo/commit/789cfa43f9118852b38cbd1fd0a2596bcb9821ea.patch"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to version 9.46 and replace previously generated secrets."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Mojolicious versions from 7.28 through 9.45 for Perl will generate weak HMAC session cookie secrets via \"mojo generate app\" by default",
"workarounds": [
{
"lang": "en",
"value": "Ensure that your secret, stored in the application\u0027s configuration file, is at least 128 bit of cryptographically secure random data. For example, to generate a 256 bit secret, one could use the output generated by the \"openssl rand -base64 32\" command."
},
{
"lang": "en",
"value": "As of version 9.39 of Mojolicious, if the optional CryptX distribution version 0.080 or later is available in the include path before calling the \"mojo generate app\" tool, then a secure 1024 bit long secret will be generated."
}
],
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2024-58135",
"datePublished": "2025-05-03T10:16:10.636Z",
"dateReserved": "2025-04-07T16:06:37.226Z",
"dateUpdated": "2026-06-05T12:37:53.344Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-58041 (GCVE-0-2024-58041)
Vulnerability from cvelistv5 – Published: 2026-02-23 23:54 – Updated: 2026-02-24 16:41
VLAI
EPSS
VEX
Title
Smolder versions through 1.51 for Perl uses insecure rand() function for cryptographic functions
Summary
Smolder versions through 1.51 for Perl uses insecure rand() function for cryptographic functions.
Smolder 1.51 and earlier for Perl uses the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions.
Specifically Smolder::DB::Developer uses the Data::Random library which specifically states that it is "Useful mostly for test programs". Data::Random uses the rand() function.
Severity
9.1 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Assigner
References
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-58041",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-24T16:41:10.683807Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-24T16:41:35.824Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Smolder",
"product": "Smolder",
"programFiles": [
"lib/Smolder/DB/Developer.pm"
],
"vendor": "WONKO",
"versions": [
{
"lessThanOrEqual": "1.51",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Robert Rothenberg (RRWO)"
}
],
"descriptions": [
{
"lang": "en",
"value": "Smolder versions through 1.51 for Perl uses insecure rand() function for cryptographic functions.\n\nSmolder 1.51 and earlier for Perl uses the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions.\n\nSpecifically Smolder::DB::Developer uses the Data::Random library which specifically states that it is \"Useful mostly for test programs\". Data::Random uses the rand() function."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-338",
"description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-23T23:54:23.396Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"url": "https://perldoc.perl.org/functions/rand"
},
{
"url": "https://security.metacpan.org/docs/guides/random-data-for-security.html"
},
{
"url": "https://metacpan.org/release/BAREFOOT/Data-Random-0.13/source/lib/Data/Random.pm#L537"
},
{
"url": "https://metacpan.org/release/WONKO/Smolder-1.51/source/lib/Smolder/DB/Developer.pm#L5"
},
{
"url": "https://metacpan.org/release/WONKO/Smolder-1.51/source/lib/Smolder/DB/Developer.pm#L221"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Smolder versions through 1.51 for Perl uses insecure rand() function for cryptographic functions",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2024-58041",
"datePublished": "2026-02-23T23:54:23.396Z",
"dateReserved": "2025-03-26T14:00:56.432Z",
"dateUpdated": "2026-02-24T16:41:35.824Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-58040 (GCVE-0-2024-58040)
Vulnerability from cvelistv5 – Published: 2025-09-29 23:54 – Updated: 2025-09-30 13:37
VLAI
EPSS
VEX
Title
Crypt::RandomEncryption for Perl uses insecure rand() function during encryption
Summary
Crypt::RandomEncryption for Perl version 0.01 uses insecure rand() function during encryption.
Severity
9.1 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
3 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| QWER | Crypt::RandomEncryption |
Affected:
0.01 , ≤ *
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-58040",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-30T13:36:59.598797Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-30T13:37:53.749Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Crypt-RandomEncryption",
"product": "Crypt::RandomEncryption",
"programFiles": [
"lib/Crypt/RandomEncryption.pm"
],
"programRoutines": [
{
"name": "_random()"
}
],
"vendor": "QWER",
"versions": [
{
"lessThanOrEqual": "*",
"status": "affected",
"version": "0.01",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Robert Rothenberg"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Crypt::RandomEncryption for Perl version 0.01 uses insecure rand() function during encryption.\u003cbr\u003e"
}
],
"value": "Crypt::RandomEncryption for Perl version 0.01 uses insecure rand() function during encryption."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-338",
"description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-331",
"description": "CWE-331 Insufficient Entropy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T23:54:22.953Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"url": "https://metacpan.org/release/QWER/Crypt-RandomEncryption-0.01/source/lib/Crypt/RandomEncryption.pm#L33"
},
{
"tags": [
"related"
],
"url": "https://security.metacpan.org/docs/guides/random-data-for-security.html"
},
{
"tags": [
"related"
],
"url": "https://perldoc.perl.org/functions/rand"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Crypt::RandomEncryption for Perl uses insecure rand() function during encryption",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2024-58040",
"datePublished": "2025-09-29T23:54:22.953Z",
"dateReserved": "2025-03-26T14:00:56.315Z",
"dateUpdated": "2025-09-30T13:37:53.749Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-58036 (GCVE-0-2024-58036)
Vulnerability from cvelistv5 – Published: 2025-04-05 16:06 – Updated: 2025-09-05 13:19
VLAI
EPSS
VEX
Title
Net::Dropbox::API 1.9 and earlier for Perl uses insecure rand() function for cryptographic functions
Summary
Net::Dropbox::API 1.9 and earlier for Perl uses the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions.
Specifically Net::Dropbox::API uses the Data::Random library which specifically states that it is "Useful mostly for test programs". Data::Random uses the rand() function.
Severity
5.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| NORBU | Net::Dropbox::API |
Affected:
0 , ≤ 1.9
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-58036",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-07T14:32:40.331159Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-07T18:28:41.226Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Net-Dropbox-API",
"product": "Net::Dropbox::API",
"programFiles": [
"lib/Net/Dropbox/API.pm"
],
"vendor": "NORBU",
"versions": [
{
"lessThanOrEqual": "1.9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Robert Rothenberg (RRWO)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Net::Dropbox::API 1.9 and earlier for Perl uses the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions.\u003cbr\u003e\u003cbr\u003eSpecifically Net::Dropbox::API uses the Data::Random library which specifically states that it is \"\u003cspan style=\"background-color: rgb(245, 245, 245);\"\u003eUseful mostly for test programs\u003c/span\u003e\". Data::Random uses the rand() function."
}
],
"value": "Net::Dropbox::API 1.9 and earlier for Perl uses the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions.\n\nSpecifically Net::Dropbox::API uses the Data::Random library which specifically states that it is \"Useful mostly for test programs\". Data::Random uses the rand() function."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-338",
"description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-331",
"description": "CWE-331 Insufficient Entropy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-05T13:19:24.872Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"url": "https://perldoc.perl.org/functions/rand"
},
{
"url": "https://security.metacpan.org/docs/guides/random-data-for-security.html"
},
{
"url": "https://metacpan.org/release/BAREFOOT/Data-Random-0.13/source/lib/Data/Random.pm#L537"
},
{
"url": "https://metacpan.org/release/NORBU/Net-Dropbox-API-1.9/source/lib/Net/Dropbox/API.pm#L385"
},
{
"url": "https://metacpan.org/release/NORBU/Net-Dropbox-API-1.9/source/lib/Net/Dropbox/API.pm#L11"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Net::Dropbox::API 1.9 and earlier for Perl uses insecure rand() function for cryptographic functions",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2024-58036",
"datePublished": "2025-04-05T16:06:53.758Z",
"dateReserved": "2025-03-26T14:00:56.360Z",
"dateUpdated": "2025-09-05T13:19:24.872Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-57868 (GCVE-0-2024-57868)
Vulnerability from cvelistv5 – Published: 2025-04-05 15:35 – Updated: 2025-09-05 13:18
VLAI
EPSS
VEX
Title
Web::API 2.8 and earlier for Perl uses insecure rand() function for cryptographic functions
Summary
Web::API 2.8 and earlier for Perl uses the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions.
Specifically Web::API uses the Data::Random library which specifically states that it is "Useful mostly for test programs". Data::Random uses the rand() function.
Severity
5.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-57868",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-07T14:34:20.328851Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-07T18:29:17.622Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Web-API",
"product": "Web::API",
"programFiles": [
"lib/Web/API.pm"
],
"vendor": "LEV",
"versions": [
{
"lessThanOrEqual": "2.8",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Robert Rothenberg (RRWO)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Web::API 2.8 and earlier for Perl uses the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions.\u003cbr\u003e\u003cbr\u003eSpecifically Web::API uses the Data::Random library which specifically states that it is \"\u003cspan style=\"background-color: rgb(245, 245, 245);\"\u003eUseful mostly for test programs\u003c/span\u003e\". Data::Random uses the rand() function."
}
],
"value": "Web::API 2.8 and earlier for Perl uses the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions.\n\nSpecifically Web::API uses the Data::Random library which specifically states that it is \"Useful mostly for test programs\". Data::Random uses the rand() function."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-338",
"description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-331",
"description": "CWE-331 Insufficient Entropy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-05T13:18:59.781Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"url": "https://perldoc.perl.org/functions/rand"
},
{
"url": "https://security.metacpan.org/docs/guides/random-data-for-security.html"
},
{
"url": "https://metacpan.org/release/BAREFOOT/Data-Random-0.13/source/lib/Data/Random.pm#L537"
},
{
"url": "https://metacpan.org/dist/Web-API/source/lib/Web/API.pm#L20"
},
{
"url": "https://metacpan.org/dist/Web-API/source/lib/Web/API.pm#L348"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Web::API 2.8 and earlier for Perl uses insecure rand() function for cryptographic functions",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2024-57868",
"datePublished": "2025-04-05T15:35:05.802Z",
"dateReserved": "2025-03-26T14:00:56.441Z",
"dateUpdated": "2025-09-05T13:18:59.781Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-57854 (GCVE-0-2024-57854)
Vulnerability from cvelistv5 – Published: 2026-03-05 02:18 – Updated: 2026-03-05 16:41
VLAI
EPSS
VEX
Title
Net::NSCA::Client versions through 0.009002 for Perl uses a poor random number generator
Summary
Net::NSCA::Client versions through 0.009002 for Perl uses a poor random number generator.
Version v0.003 switched to use Data::Rand::Obscure instead of Crypt::Random for generation of a random initialisation vectors.
Data::Rand::Obscure uses Perl's built-in rand() function, which is not suitable for cryptographic functions.
Severity
9.1 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| DOUGDUDE | Net::NSCA::Client |
Affected:
0 , ≤ 0.009002
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-03-05T11:12:50.673Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/03/05/1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-57854",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-05T16:40:27.714179Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-05T16:41:19.727Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Net-NSCA-Client",
"product": "Net::NSCA::Client",
"programFiles": [
"lib/Net/NSCA/Client/InitialPacket.pm"
],
"programRoutines": [
{
"name": "_build_initialization_vector"
}
],
"repo": "https://github.com/dougwilson/perl5-net-nsca-client",
"vendor": "DOUGDUDE",
"versions": [
{
"lessThanOrEqual": "0.009002",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Robert Rothenberg"
}
],
"descriptions": [
{
"lang": "en",
"value": "Net::NSCA::Client versions through 0.009002 for Perl uses a poor random number generator.\n\nVersion v0.003 switched to use Data::Rand::Obscure instead of Crypt::Random for generation of a random initialisation vectors.\n\nData::Rand::Obscure uses Perl\u0027s built-in rand() function, which is not suitable for cryptographic functions."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-338",
"description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-05T02:18:25.951Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"url": "https://metacpan.org/release/DOUGDUDE/Net-NSCA-Client-0.009002/source/lib/Net/NSCA/Client/InitialPacket.pm#L119"
},
{
"tags": [
"patch"
],
"url": "https://patch-diff.githubusercontent.com/raw/dougwilson/perl5-net-nsca-client/pull/2.patch"
}
],
"solutions": [
{
"lang": "en",
"value": "Apply a manual patch or migrate to a different solution"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Net::NSCA::Client versions through 0.009002 for Perl uses a poor random number generator",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2024-57854",
"datePublished": "2026-03-05T02:18:25.951Z",
"dateReserved": "2025-03-26T14:00:56.392Z",
"dateUpdated": "2026-03-05T16:41:19.727Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-57835 (GCVE-0-2024-57835)
Vulnerability from cvelistv5 – Published: 2025-04-05 16:11 – Updated: 2025-04-07 18:27
VLAI
EPSS
VEX
Title
Amon2::Auth::Site::LINE versions through 0.04 for Perl uses insecure rand() function for cryptographic functions
Summary
Amon2::Auth::Site::LINE uses the String::Random module to generate nonce values.
String::Random defaults to Perl's built-in predictable random number generator, the rand() function, which is not cryptographically secure
Severity
5.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Assigner
References
4 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| TANIGUCHI | Amon2::Auth::Site::LINE |
Affected:
0 , ≤ 0.04
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-57835",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-07T14:33:42.859939Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-07T18:27:55.093Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Amon2-Auth-Site-LINE",
"product": "Amon2::Auth::Site::LINE",
"programFiles": [
"lib/Amon2/Auth/Site/LINE.pm"
],
"repo": "https://github.com/nipotan/p5-Amon2-Auth-Site-LINE",
"vendor": "TANIGUCHI",
"versions": [
{
"lessThanOrEqual": "0.04",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Amon2::Auth::Site::LINE uses the String::Random module\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;to generate nonce values.\u003c/span\u003e\u0026nbsp;\u003cbr\u003e\u003cbr\u003eString::Random\u0026nbsp;defaults to Perl\u0027s built-in predictable\u0026nbsp;random number generator,\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ethe rand() function\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e, which is not cryptographically secure\u003c/span\u003e\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Amon2::Auth::Site::LINE uses the String::Random module\u00a0to generate nonce values.\u00a0\n\nString::Random\u00a0defaults to Perl\u0027s built-in predictable\u00a0random number generator,\u00a0the rand() function, which is not cryptographically secure"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-338",
"description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-05T16:11:11.314Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"related"
],
"url": "https://metacpan.org/release/SHLOMIF/String-Random-0.32/source/lib/String/Random.pm#L377"
},
{
"tags": [
"related"
],
"url": "https://metacpan.org/release/TANIGUCHI/Amon2-Auth-Site-LINE-0.04/source/lib/Amon2/Auth/Site/LINE.pm#L235"
},
{
"tags": [
"related"
],
"url": "https://metacpan.org/release/TANIGUCHI/Amon2-Auth-Site-LINE-0.04/source/lib/Amon2/Auth/Site/LINE.pm#L255"
},
{
"tags": [
"related"
],
"url": "https://security.metacpan.org/docs/guides/random-data-for-security.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Amon2::Auth::Site::LINE versions through 0.04 for Perl uses insecure rand() function for cryptographic functions",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2024-57835",
"datePublished": "2025-04-05T16:11:11.314Z",
"dateReserved": "2025-03-26T14:00:56.466Z",
"dateUpdated": "2025-04-07T18:27:55.093Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-56830 (GCVE-0-2024-56830)
Vulnerability from cvelistv5 – Published: 2025-01-02 00:00 – Updated: 2025-04-08 09:03
VLAI
EPSS
VEX
Summary
The Net::EasyTCP package 0.15 through 0.26 for Perl uses Perl's builtin rand() if no strong randomization module is present.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-56830",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-06T21:09:15.560472Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-06T21:09:28.494Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-04-08T09:03:27.274Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00015.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Net::EasyTCP package 0.15 through 0.26 for Perl uses Perl\u0027s builtin rand() if no strong randomization module is present."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-338",
"description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-02T05:00:55.766Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://metacpan.org/release/MNAGUIB/EasyTCP-0.26/changes"
},
{
"url": "https://github.com/briandfoy/cpan-security-advisory/issues/184"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-56830",
"datePublished": "2025-01-02T00:00:00.000Z",
"dateReserved": "2025-01-02T00:00:00.000Z",
"dateUpdated": "2025-04-08T09:03:27.274Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-56370 (GCVE-0-2024-56370)
Vulnerability from cvelistv5 – Published: 2025-04-05 18:26 – Updated: 2025-09-05 13:18
VLAI
EPSS
VEX
Title
Net::Xero 0.044 and earlier for Perl uses insecure rand() function for cryptographic functions
Summary
Net::Xero 0.044 and earlier for Perl uses the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions.
Specifically Net::Xero uses the Data::Random library which specifically states that it is "Useful mostly for test programs". Data::Random uses the rand() function.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-56370",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-14T17:44:45.535548Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-14T17:45:24.817Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Net-Xero",
"product": "Net::Xero",
"programFiles": [
"lib/Net/Xero.pm"
],
"vendor": "ELLIOTT",
"versions": [
{
"lessThanOrEqual": "0.44",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Robert Rothenberg (RRWO)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Net::Xero 0.044 and earlier for Perl uses the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions.\u003cbr\u003e\u003cbr\u003eSpecifically Net::Xero uses the Data::Random library which specifically states that it is \"\u003cspan style=\"background-color: rgb(245, 245, 245);\"\u003eUseful mostly for test programs\u003c/span\u003e\". Data::Random uses the rand() function."
}
],
"value": "Net::Xero 0.044 and earlier for Perl uses the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions.\n\nSpecifically Net::Xero uses the Data::Random library which specifically states that it is \"Useful mostly for test programs\". Data::Random uses the rand() function."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-338",
"description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-331",
"description": "CWE-331 Insufficient Entropy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-05T13:18:38.369Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"url": "https://perldoc.perl.org/functions/rand"
},
{
"url": "https://security.metacpan.org/docs/guides/random-data-for-security.html"
},
{
"url": "https://metacpan.org/release/BAREFOOT/Data-Random-0.13/source/lib/Data/Random.pm#L537"
},
{
"url": "https://metacpan.org/release/ELLIOTT/Net-Xero-0.44/source/lib/Net/Xero.pm#L58"
},
{
"url": "https://metacpan.org/release/ELLIOTT/Net-Xero-0.44/source/lib/Net/Xero.pm#L9"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Net::Xero 0.044 and earlier for Perl uses insecure rand() function for cryptographic functions",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2024-56370",
"datePublished": "2025-04-05T18:26:22.102Z",
"dateReserved": "2025-03-26T14:00:56.418Z",
"dateUpdated": "2025-09-05T13:18:38.369Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-53702 (GCVE-0-2024-53702)
Vulnerability from cvelistv5 – Published: 2024-12-05 13:53 – Updated: 2024-12-05 15:10
VLAI
EPSS
VEX
Summary
Use of cryptographically weak pseudo-random number generator (PRNG) vulnerability in the SonicWall SMA100 SSLVPN backup code generator that, in certain cases, can be predicted by an attacker, potentially exposing the generated secret.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://psirt.global.sonicwall.com/vuln-detail/SN… | vendor-advisory |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| SonicWall | SMA100 |
Affected:
10.2.1.13-72sv and earlier versions
|
|
| sonicwall | sma100_firmware |
Affected:
0 , ≤ 10.2.1.13-72sv
(custom)
cpe:2.3:o:sonicwall:sma100_firmware:*:*:*:*:*:*:*:* |
Date Public
2024-12-05 01:22
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:o:sonicwall:sma100_firmware:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "sma100_firmware",
"vendor": "sonicwall",
"versions": [
{
"lessThanOrEqual": "10.2.1.13-72sv",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-53702",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-05T15:07:30.378191Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-05T15:10:12.280Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"platforms": [
"Linux"
],
"product": "SMA100",
"vendor": "SonicWall",
"versions": [
{
"status": "affected",
"version": "10.2.1.13-72sv and earlier versions"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Alain Mowat of Orange Cyberdefense, Switzerland."
}
],
"datePublic": "2024-12-05T01:22:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eUse of cryptographically weak pseudo-random number generator (PRNG) vulnerability in the SonicWall SMA100 SSLVPN backup code generator that, in certain cases, can be predicted by an attacker, potentially exposing the generated secret.\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003c/span\u003e\n\n\u003c/span\u003e"
}
],
"value": "Use of cryptographically weak pseudo-random number generator (PRNG) vulnerability in the SonicWall SMA100 SSLVPN backup code generator that, in certain cases, can be predicted by an attacker, potentially exposing the generated secret."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-338",
"description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-05T13:53:37.282Z",
"orgId": "44b2ff79-1416-4492-88bb-ed0da00c7315",
"shortName": "sonicwall"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0018"
}
],
"source": {
"advisory": "SNWLID-2024-0018",
"discovery": "EXTERNAL"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "44b2ff79-1416-4492-88bb-ed0da00c7315",
"assignerShortName": "sonicwall",
"cveId": "CVE-2024-53702",
"datePublished": "2024-12-05T13:53:37.282Z",
"dateReserved": "2024-11-22T09:54:04.963Z",
"dateUpdated": "2024-12-05T15:10:12.280Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
Implementation
Use functions or hardware which use a hardware-based random number generation for all crypto. This is the recommended solution. Use CyptGenRandom on Windows, or hw_rand() on Linux.
No CAPEC attack patterns related to this CWE.