CPANSA-Crypt-CBC-2025-2814: Crypt-CBC vulnerability
Publisher | giterlizzi | Document category | csaf_security_advisory |
---|---|---|---|
Initial release date | 2025-04-13T00:00:00 | Engine | CSAF Perl Toolkit 0.25 |
Current release date | 2025-04-13T00:00:00 | Build Date | |
Current version | 1 | Status | final |
CVSS v3.1 Base Score | 4 | Severity | |
Original language | Language | en | |
Also referred to |
Vulnerability Description
Crypt::CBC versions between 1.21 and 3.04 for Perl may use the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions. This issue affects operating systems where "/dev/urandom'" is unavailable. In that case, Crypt::CBC will fallback to use the insecure rand() function.
Vulnerabilities
CVE-2025-2814
Vulnerability DescriptionCrypt::CBC versions between 1.21 and 3.05 for Perl may use the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions.
This issue affects operating systems where "/dev/urandom'" is unavailable. In that case, Crypt::CBC will fallback to use the insecure rand() function.
Weakness | CWE-338 : Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) |
---|
Product status
Known affected
Product | Score | ||||||||
---|---|---|---|---|---|---|---|---|---|
Crypt-CBC greater than or equal 1.21 |
|
giterlizzi
Namespace: https://github.com/giterlizzi/
gdt@cpan.org
References
- CPANSA-Crypt-CBC-2025-2814 JSON self
https://raw.githubusercontent.com/giterlizzi/perl-CPANSA-CSAF/develop/csaf/white/2025/cpansa-crypt-cbc-2025-2814.json - https://metacpan.org/dist/Crypt-CBC/source/lib/Crypt/CBC.pm#L777 external
https://metacpan.org/dist/Crypt-CBC/source/lib/Crypt/CBC.pm#L777 - https://perldoc.perl.org/functions/rand external
https://perldoc.perl.org/functions/rand - https://security.metacpan.org/docs/guides/random-data-for-security.html external
https://security.metacpan.org/docs/guides/random-data-for-security.html - https://github.com/lstein/Lib-Crypt-CBC/issues/9 external
https://github.com/lstein/Lib-Crypt-CBC/issues/9 - CVE-2025-2814 (NVD) external
https://nvd.nist.gov/vuln/detail/CVE-2025-2814
Revision history
Version | Date of the revision | Summary of the revision |
---|---|---|
1 | Sun Apr 13 00:00:00 2025 | First release |
Sharing rules
TLP:WHITE
For the TLP version see: https://www.first.org/tlp/