CVE-2024-52322

WebService::Xero 0.11 and earlier for Perl uses the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions.

Specifically WebService::Xero uses the Data::Random library which specifically states that it is Useful mostly for test programs. Data::Random uses the rand() function.

Weakness

The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.

Affected Software

Name	Vendor	Start Version	End Version
Webservice::xero	Localshop	*	0.11 (including)

Potential Mitigations

https://cwe.mitre.org/data/definitions/59.html

References

https://metacpan.org/release/BAREFOOT/Data-Random-0.13/source/lib/Data/Random.pm#L537
https://metacpan.org/release/LOCALSHOP/WebService-Xero-0.11/source/lib/WebService/Xero/Agent.pm#L17
https://metacpan.org/release/LOCALSHOP/WebService-Xero-0.11/source/lib/WebService/Xero/Agent.pm#L178
https://metacpan.org/release/LOCALSHOP/WebService-Xero-0.11/source/lib/WebService/Xero/Agent/PublicApplication.pm#L13
https://metacpan.org/release/LOCALSHOP/WebService-Xero-0.11/source/lib/WebService/Xero/Agent/PublicApplication.pm#L93
https://perldoc.perl.org/functions/rand
https://security.metacpan.org/docs/guides/random-data-for-security.html

NVD	https://nvd.nist.gov/vuln/detail/CVE-2024-52322
CWE	https://cwe.mitre.org/data/definitions/331.html

Insufficient Entropy

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References