Permalink
CVE-2025-1860
7.7 HIGH
- CVSS version: 3.1
- Attack vector (AV): LOCAL
- Attack complexity (AC): LOW
- Privileges required (PR): NONE
- User interaction (UI): NONE
- Scope (S): UNCHANGED
- Confidentiality impact (C): HIGH
- Integrity impact (I): HIGH
- Availability impact (A): NONE
Data::Entropy for Perl uses insecure rand() function for cryptographic functions
Data::Entropy for Perl 0.007 and earlier use the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions.
References
- https://perldoc.perl.org/functions/rand
- https://metacpan.org/release/ZEFRAM/Data-Entropy-0.007/source/lib/Data/Entropy.…
- https://perldoc.perl.org/functions/rand
- https://metacpan.org/release/ZEFRAM/Data-Entropy-0.007/source/lib/Data/Entropy.…
- https://lists.debian.org/debian-lts-announce/2025/03/msg00026.html
- https://perldoc.perl.org/functions/rand
- https://metacpan.org/release/ZEFRAM/Data-Entropy-0.007/source/lib/Data/Entropy.…
- https://lists.debian.org/debian-lts-announce/2025/03/msg00026.html
- https://perldoc.perl.org/functions/rand
- https://metacpan.org/release/ZEFRAM/Data-Entropy-0.007/source/lib/Data/Entropy.…
- https://lists.debian.org/debian-lts-announce/2025/03/msg00026.html
Affected products
Data-Entropy
- <0.008
Matching in nixpkgs
pkgs.perlPackages.DataEntropy
Entropy (randomness) management
-
nixos-unstable -
- nixpkgs-unstable 0.008
pkgs.perl538Packages.DataEntropy
Entropy (randomness) management
-
nixos-unstable -
- nixpkgs-unstable 0.008
pkgs.perl540Packages.DataEntropy
Entropy (randomness) management
-
nixos-unstable -
- nixpkgs-unstable 0.008