CVE-2024-52322
WebService::Xero 0.11 for Perl uses insecure rand() function for cryptographic functions
We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
WebService::Xero 0.11 for Perl uses insecure rand() function for cryptographic functions
WebService::Xero 0.11 and earlier for Perl uses the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions. Specifically WebService::Xero uses the Data::Random library which specifically states that it is "Useful mostly for test programs". Data::Random uses the rand() function.
Reserved 2025-03-26 | Published 2025-04-05 | Updated 2025-04-07 | Assigner CPANSecCWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Robert Rothenberg (RRWO)
perldoc.perl.org/functions/rand
security.metacpan.org/...uides/random-data-for-security.html
metacpan.org/...T/Data-Random-0.13/source/lib/Data/Random.pm
metacpan.org/...ero-0.11/source/lib/WebService/Xero/Agent.pm
metacpan.org/...ero-0.11/source/lib/WebService/Xero/Agent.pm
metacpan.org/...b/WebService/Xero/Agent/PublicApplication.pm
metacpan.org/...b/WebService/Xero/Agent/PublicApplication.pm
Support options
