CVE-2024-57835: Amon2::Auth::Site::LINE versions through 0.04 for Perl uses insecure rand() function for cryptographic functions
Timothy Legge 05 Apr 2025 16:12 UTC
========================================================================
CVE-2024-57835 CPAN Security Group
========================================================================
CVE ID: CVE-2024-57835
Distribution: Amon2-Auth-Site-LINE
Versions: through 0.04
MetaCPAN: https://metacpan.org/dist/Amon2-Auth-Site-LINE
VCS Repo: https://github.com/nipotan/p5-Amon2-Auth-Site-LINE
Amon2::Auth::Site::LINE versions through 0.04 for Perl uses insecure
rand() function for cryptographic functions
Description
-----------
Amon2::Auth::Site::LINE uses the String::Random module to generate
nonce values.
String::Random defaults to Perl's built-in predictable random number
generator, the rand() function, which is not cryptographically secure
Problem types
-------------
CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator
(PRNG)
References
----------
https://metacpan.org/release/SHLOMIF/String-Random-0.32/source/lib/String/Random.pm#L377
https://metacpan.org/release/TANIGUCHI/Amon2-Auth-Site-LINE-0.04/source/lib/Amon2/Auth/Site/LINE.pm#L235
https://metacpan.org/release/TANIGUCHI/Amon2-Auth-Site-LINE-0.04/source/lib/Amon2/Auth/Site/LINE.pm#L255
https://security.metacpan.org/docs/guides/random-data-for-security.html
