8.8 HIGH
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): NONE
- User interaction (UI): REQUIRED
- Scope (S): UNCHANGED
- Confidentiality impact (C): HIGH
- Integrity impact (I): HIGH
- Availability impact (A): HIGH
Perl's Crypt::Random module after 1.05 and before 1.56 may use rand() function for cryptographic functions
Crypt::Random Perl package 1.05 through 1.55 may use rand() function, which is not cryptographically strong, for cryptographic functions. Crypt::Random::rand 1.05 through 1.55 uses the rand() function. If the Provider is not specified and /dev/urandom or an Entropy Gathering Daemon (egd) service is not available Crypt::Random will default to use the insecure Crypt::Random::rand provider. In particular, Windows versions of perl will encounter this issue by default.
References
- https://github.com/perl-Crypt-OpenPGP/Crypt-Random/pull/1
- https://github.com/perl-Crypt-OpenPGP/Crypt-Random/commit/1f8b29e9e89d8d083fd02…
- https://perldoc.perl.org/functions/rand
- https://perldoc.perl.org/functions/rand
- https://github.com/perl-Crypt-OpenPGP/Crypt-Random/pull/1
- https://github.com/perl-Crypt-OpenPGP/Crypt-Random/commit/1f8b29e9e89d8d083fd02…
- https://perldoc.perl.org/functions/rand
- https://github.com/perl-Crypt-OpenPGP/Crypt-Random/pull/1
- https://github.com/perl-Crypt-OpenPGP/Crypt-Random/commit/1f8b29e9e89d8d083fd02…
- https://github.com/perl-Crypt-OpenPGP/Crypt-Random/commit/1f8b29e9e89d8d083fd02…
- https://perldoc.perl.org/functions/rand
- https://github.com/perl-Crypt-OpenPGP/Crypt-Random/pull/1
- https://perldoc.perl.org/functions/rand
- https://github.com/perl-Crypt-OpenPGP/Crypt-Random/pull/1
- https://github.com/perl-Crypt-OpenPGP/Crypt-Random/commit/1f8b29e9e89d8d083fd02…
Affected products
- <1.56
Matching in nixpkgs
pkgs.perlPackages.CryptRandom
Interface to /dev/random and /dev/urandom
-
nixos-unstable -
- nixpkgs-unstable 1.57
pkgs.perl538Packages.CryptRandom
Interface to /dev/random and /dev/urandom
-
nixos-unstable -
- nixpkgs-unstable 1.57
pkgs.perl540Packages.CryptRandom
Interface to /dev/random and /dev/urandom
-
nixos-unstable -
- nixpkgs-unstable 1.57
pkgs.perlPackages.CryptRandomSeed
Provide strong randomness for seeding
-
nixos-unstable -
- nixpkgs-unstable 0.03
pkgs.perlPackages.CryptRandomSource
Get weak or strong random data from pluggable sources
-
nixos-unstable -
- nixpkgs-unstable 0.14
pkgs.perlPackages.CryptRandomTESHA2
Random numbers using timer/schedule entropy, aka userspace voodoo entropy
-
nixos-unstable -
- nixpkgs-unstable TESHA2-0.01
pkgs.perl538Packages.CryptRandomSeed
Provide strong randomness for seeding
-
nixos-unstable -
- nixpkgs-unstable 0.03
pkgs.perl540Packages.CryptRandomSeed
Provide strong randomness for seeding
-
nixos-unstable -
- nixpkgs-unstable 0.03
pkgs.perl538Packages.CryptRandomSource
Get weak or strong random data from pluggable sources
-
nixos-unstable -
- nixpkgs-unstable 0.14
pkgs.perl538Packages.CryptRandomTESHA2
Random numbers using timer/schedule entropy, aka userspace voodoo entropy
-
nixos-unstable -
- nixpkgs-unstable TESHA2-0.01
pkgs.perl540Packages.CryptRandomSource
Get weak or strong random data from pluggable sources
-
nixos-unstable -
- nixpkgs-unstable 0.14
pkgs.perl540Packages.CryptRandomTESHA2
Random numbers using timer/schedule entropy, aka userspace voodoo entropy
-
nixos-unstable -
- nixpkgs-unstable TESHA2-0.01
Package maintainers
-
@stigtsp Stig Palmquist <stig@stig.io>