CVE-2024-58041

Smolder versions through 1.51 for Perl uses insecure rand() function for cryptographic functions. Smolder 1.51 and earlier for Perl uses the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions. Specifically Smolder::DB::Developer uses the Data::Random library which specifically states that it is "Useful mostly for test programs". Data::Random uses the rand() function.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://metacpan.org/release/BAREFOOT/Data-Random-0.13/source/lib/Data/Random.pm#L537	Issue Tracking
https://metacpan.org/release/WONKO/Smolder-1.51/source/lib/Smolder/DB/Developer.pm#L221	Issue Tracking
https://metacpan.org/release/WONKO/Smolder-1.51/source/lib/Smolder/DB/Developer.pm#L5	Issue Tracking
https://perldoc.perl.org/functions/rand	Third Party Advisory
https://security.metacpan.org/docs/guides/random-data-for-security.html	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:wonko:smolder:*:*:*:*:*:perl:*:*

History

No history.

Information

Published : 2026-02-24 00:16

Updated : 2026-03-04 02:22

NVD link : CVE-2024-58041

Mitre link : CVE-2024-58041

CVE.ORG link : CVE-2024-58041

JSON object : View

Products Affected

wonko

smolder

CWE

CWE-338

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

{"id": "CVE-2024-58041", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 3.9}]}, "published": "2026-02-24T00:16:17.820", "references": [{"url": "https://metacpan.org/release/BAREFOOT/Data-Random-0.13/source/lib/Data/Random.pm#L537", "tags": ["Issue Tracking"], "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}, {"url": "https://metacpan.org/release/WONKO/Smolder-1.51/source/lib/Smolder/DB/Developer.pm#L221", "tags": ["Issue Tracking"], "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}, {"url": "https://metacpan.org/release/WONKO/Smolder-1.51/source/lib/Smolder/DB/Developer.pm#L5", "tags": ["Issue Tracking"], "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}, {"url": "https://perldoc.perl.org/functions/rand", "tags": ["Third Party Advisory"], "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}, {"url": "https://security.metacpan.org/docs/guides/random-data-for-security.html", "tags": ["Third Party Advisory"], "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "description": [{"lang": "en", "value": "CWE-338"}]}], "descriptions": [{"lang": "en", "value": "Smolder versions through 1.51 for Perl uses insecure rand() function for cryptographic functions.\n\nSmolder 1.51 and earlier for Perl uses the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions.\n\nSpecifically Smolder::DB::Developer uses the Data::Random library which specifically states that it is \"Useful mostly for test programs\". Data::Random uses the rand() function."}, {"lang": "es", "value": "Las versiones de Smolder hasta la 1.51 para Perl utilizan la funci\u00f3n rand() insegura para funciones criptogr\u00e1ficas.\n\nSmolder 1.51 y anteriores para Perl utilizan la funci\u00f3n rand() como fuente de entrop\u00eda predeterminada, que no es criptogr\u00e1ficamente segura, para funciones criptogr\u00e1ficas.\n\nEspec\u00edficamente, Smolder::DB::Developer utiliza la biblioteca Data::Random, que espec\u00edficamente indica que es '\u00datil principalmente para programas de prueba'. Data::Random utiliza la funci\u00f3n rand()."}], "lastModified": "2026-03-04T02:22:32.640", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wonko:smolder:*:*:*:*:*:perl:*:*", "vulnerable": true, "matchCriteriaId": "070DDE49-67CA-4E26-A763-0EC6C4C85834", "versionEndIncluding": "1.51"}], "operator": "OR"}]}], "sourceIdentifier": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}