CVE-2024-57854: Net::NSCA::Client versions through 0.009002 for Perl uses a poor random number generator

CVE-2024-57854: Net::NSCA::Client versions through 0.009002 for Perl uses a poor random number generator Timothy Legge 05 Mar 2026 02:20 UTC

========================================================================
CVE-2024-57854                                       CPAN Security Group
========================================================================

         CVE ID:  CVE-2024-57854
   Distribution:  Net-NSCA-Client
       Versions:  through 0.009002

       MetaCPAN:  https://metacpan.org/dist/Net-NSCA-Client
       VCS Repo:  https://github.com/dougwilson/perl5-net-nsca-client

Net::NSCA::Client versions through 0.009002 for Perl uses a poor random
number generator

Description
-----------
Net::NSCA::Client versions through 0.009002 for Perl uses a poor random
number generator.

Version v0.003 switched to use Data::Rand::Obscure instead of
Crypt::Random for generation of a random initialisation vectors.

Data::Rand::Obscure uses Perl's built-in rand() function, which is not
suitable for cryptographic functions.

Problem types
-------------
- CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator
   (PRNG)

Solutions
---------
Apply a manual patch or migrate to a different solution

References
----------
https://metacpan.org/release/DOUGDUDE/Net-NSCA-Client-0.009002/source/lib/Net/NSCA/Client/InitialPacket.pm#L119
https://patch-diff.githubusercontent.com/raw/dougwilson/perl5-net-nsca-client/pull/2.patch

Credits
-------
Robert Rothenberg, finder