CVE-2024-56370

Name of the Vulnerable Software and Affected Versions Net::Xero versions 0.044 and earlier

Description The issue concerns the use of the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions. Specifically, Net::Xero uses the Data::Random library, which is stated to be "Useful mostly for test programs" and utilizes the rand() function.

Recommendations For Net::Xero versions 0.044 and earlier, consider using a cryptographically secure source of entropy instead of the rand() function. As a temporary workaround, consider disabling the use of the Data::Random library until a patch is available. Restrict access to cryptographic functions that rely on the rand() function to minimize the risk of exploitation.