CPANSA-Data-Entropy-2025-1860: Data-Entropy vulnerability

Publisher	giterlizzi	Document category	csaf_security_advisory
Initial release date	2025-03-28T00:00:00	Engine	CSAF Perl Toolkit 0.25
Current release date	2025-03-28T00:00:00	Build Date
Current version	1	Status	final
CVSS v3.1 Base Score	7.7	Severity
Original language		Language	en
Also referred to

Vulnerability Description

Data::Entropy for Perl 0.007 and earlier use the rand() function as the default source of entropy, which is notÂ cryptographically secure,Â for cryptographic functions.

Vulnerabilities

CVE-2025-1860

Vulnerability Description

Data::Entropy for Perl 0.007 and earlier use the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions.

Weakness	CWE-338 : Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

Product status

Known affected

Product

Score

Data-Entropy less than or equal 0.007

CVSS Version	CVSS Vector	CVSS Base Score	CVSS Base Severity
3.1	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N	7.7	High

Fixed

Data-Entropy greater than 0.007

giterlizzi

Namespace: https://github.com/giterlizzi/

gdt@cpan.org

References

CPANSA-Data-Entropy-2025-1860 JSON self
https://raw.githubusercontent.com/giterlizzi/perl-CPANSA-CSAF/develop/csaf/white/2025/cpansa-data-entropy-2025-1860.json
https://metacpan.org/release/ZEFRAM/Data-Entropy-0.007/source/lib/Data/Entropy.pm#L80 external
https://metacpan.org/release/ZEFRAM/Data-Entropy-0.007/source/lib/Data/Entropy.pm#L80
https://perldoc.perl.org/functions/rand external
https://perldoc.perl.org/functions/rand
https://lists.debian.org/debian-lts-announce/2025/03/msg00026.html external
https://lists.debian.org/debian-lts-announce/2025/03/msg00026.html
CVE-2025-1860 (NVD) external
https://nvd.nist.gov/vuln/detail/CVE-2025-1860

Revision history

Version	Date of the revision	Summary of the revision
1	Fri Mar 28 00:00:00 2025	First release

Sharing rules

TLP:WHITE
For the TLP version see: https://www.first.org/tlp/