[oss-security] CVE-2024-57854: Net::NSCA::Client versions through 0.009002 for Perl uses a poor random number generator

Robert Rothenberg Thu, 05 Mar 2026 01:28:04 -0800

========================================================================
CVE-2024-57854                                       CPAN Security Group
========================================================================


        CVE ID:  CVE-2024-57854
  Distribution:  Net-NSCA-Client
      Versions:  through 0.009002

      MetaCPAN:  https://metacpan.org/dist/Net-NSCA-Client
      VCS Repo:  https://github.com/dougwilson/perl5-net-nsca-client


Net::NSCA::Client versions through 0.009002 for Perl uses a poor random
number generator

Description
-----------
Net::NSCA::Client versions through 0.009002 for Perl uses a poor random
number generator.

Version v0.003 switched to use Data::Rand::Obscure instead of
Crypt::Random for generation of a random initialisation vectors.

Data::Rand::Obscure uses Perl's built-in rand() function, which is not
suitable for cryptographic functions.

Problem types
-------------
- CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator
  (PRNG)

Solutions
---------
Apply a manual patch or migrate to a different solution


References
----------
https://metacpan.org/release/DOUGDUDE/Net-NSCA-Client-0.009002/source/lib/Net/NSCA/Client/InitialPacket.pm#L119
https://patch-diff.githubusercontent.com/raw/dougwilson/perl5-net-nsca-client/pull/2.patch

Credits
-------
Robert Rothenberg, finder

[oss-security] CVE-2024-57854: Net::NSCA::Client versions through 0.009002 for Perl uses a poor random number generator

Reply via email to