CVE-2024-52322

CVSS v3.1

5.5

Medium

Vector

AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

Name of the Vulnerable Software and Affected Versions WebService::Xero versions 0.11 and earlier

Description The issue concerns the use of a non-cryptographically secure source of entropy for cryptographic functions. Specifically, WebService::Xero uses the Data::Random library, which relies on the rand() function. This library is intended for use in test programs, indicating its inadequacy for secure cryptographic operations.

Recommendations For WebService::Xero versions 0.11 and earlier, consider updating to a version that utilizes a cryptographically secure source of entropy for its cryptographic functions. As a temporary workaround, consider disabling the use of the Data::Random library until a secure alternative is implemented. Restrict access to cryptographic functions that rely on the rand() function to minimize the risk of exploitation.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-331CWE-338

Related Identifiers

CVE-2024-52322

Affected Products

Data::Random

Webservice::Xero

CVE-2024-52322

Weakness Enumeration

Related Identifiers

Affected Products

References · 15