CVE-2024-58041
BaseFortify
Publication date: 2026-02-24
Last updated on: 2026-03-04
Assigner: CPANSec
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wonko | smolder | to 1.51 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-338 | The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Smolder versions through 1.51 for Perl, where the software uses the rand() function as the default source of entropy for cryptographic functions.
The rand() function is not cryptographically secure, meaning it can produce predictable or insufficiently random values, which weakens the security of cryptographic operations.
Specifically, the Smolder::DB::Developer module uses the Data::Random library, which itself relies on rand() and is intended mostly for test programs, not secure cryptographic use.
How can this vulnerability impact me? :
Because the rand() function is not cryptographically secure, any cryptographic functions relying on it may generate weak or predictable keys, passwords, or tokens.
This can lead to compromised security, such as easier password guessing, token prediction, or other attacks that exploit weak randomness.
In the context of Smolder, this affects password generation and encryption processes, potentially allowing attackers to guess or reproduce passwords or cryptographic secrets.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves the use of the insecure rand() function in Smolder versions through 1.51 for Perl, specifically in cryptographic functions. Detection would involve identifying if your system is running Smolder version 1.51 or earlier and if the Data::Random library is used for cryptographic purposes.'}, {'type': 'paragraph', 'content': 'To detect this on your system, you can check the installed version of Smolder and inspect the relevant Perl modules for usage of the rand() function in cryptographic contexts.'}, {'type': 'list_item', 'content': 'Check the Smolder version installed: `smolder --version` or check the version in your Perl environment.'}, {'type': 'list_item', 'content': "Search for usage of the Data::Random module or rand() function in your Smolder Perl modules, for example: `grep -r 'rand(' /path/to/smolder/`"}, {'type': 'list_item', 'content': "Specifically check the Smolder::DB::Developer module for password encryption methods that use rand(), e.g., `grep -r 'Data::Random' /path/to/smolder/lib/Smolder/DB/Developer.pm`"}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps involve avoiding the use of the insecure rand() function for cryptographic purposes in Smolder versions 1.51 and earlier.
You should upgrade to a version of Smolder that does not use rand() for cryptographic functions or modify the code to replace the use of Data::Random and rand() with a cryptographically secure random number generator.
- Upgrade Smolder to a version later than 1.51 if available.
- Replace or patch the password encryption method in Smolder::DB::Developer to use a secure random source instead of rand().
- Audit any cryptographic functions relying on Data::Random and ensure they use secure entropy sources.
- Consider resetting passwords or cryptographic keys generated using the insecure method.