Weak Random Number Generation in Net::EasyTCP for Perl by MNAGUIB
CVE-2002-20002

5.4MEDIUM

Key Information:

Vendor
MNAGUIB
Vendor
CVE Published:
2 January 2025

Summary

The Net::EasyTCP package prior to version 0.15 for Perl is vulnerable due to its reliance on Perl's built-in rand() function for generating cryptographic keys. This function is not suitable for cryptographic purposes as it does not provide strong randomness, potentially leading to predictable key generation and exposing systems to various security risks. Users of affected versions are encouraged to update to a secure version to mitigate these vulnerabilities.

References

https://metacpan.org/release/MNAGUIB/EasyTCP-0.26/changes
https://github.com/briandfoy/cpan-security-advisory/issue...
https://metacpan.org/release/MNAGUIB/EasyTCP-0.15/view/Ea...

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.