Vulnerability Description
Smolder versions through 1.51 for Perl uses insecure rand() function for cryptographic functions. Smolder 1.51 and earlier for Perl uses the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions. Specifically Smolder::DB::Developer uses the Data::Random library which specifically states that it is "Useful mostly for test programs". Data::Random uses the rand() function.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Wonko | Smolder | <= 1.51 |
Related Weaknesses (CWE)
References
- https://metacpan.org/release/BAREFOOT/Data-Random-0.13/source/lib/Data/Random.pmIssue Tracking
- https://metacpan.org/release/WONKO/Smolder-1.51/source/lib/Smolder/DB/Developer.Issue Tracking
- https://metacpan.org/release/WONKO/Smolder-1.51/source/lib/Smolder/DB/Developer.Issue Tracking
- https://perldoc.perl.org/functions/randThird Party Advisory
- https://security.metacpan.org/docs/guides/random-data-for-security.htmlThird Party Advisory
FAQ
What is CVE-2024-58041?
CVE-2024-58041 is a vulnerability with a CVSS score of 9.1 (CRITICAL). Smolder versions through 1.51 for Perl uses insecure rand() function for cryptographic functions. Smolder 1.51 and earlier for Perl uses the rand() function as the default source of entropy, which is...
How severe is CVE-2024-58041?
CVE-2024-58041 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2024-58041?
Check the references section above for vendor advisories and patch information. Affected products include: Wonko Smolder.