Insufficient Entropy

CVE-2025-1828

High

8.8/10

Summary

Crypt::Random Perl package 1.05 through 1.55 may use rand() function, which is not cryptographically strong, for cryptographic functions. If the Provider is not specified and /dev/urandom or an Entropy Gathering Daemon (egd) service is not available Crypt::Random will default to use the insecure Crypt::Random::rand provider. In particular, Windows versions of perl will encounter this issue by default.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: REQUIRED
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: HIGH

CWE-331 - Insufficient Entropy

The software uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.

References

Advisory Timeline

Published Mar 11, 2025

Insufficient Entropy

CVE-2025-1828

Summary

CWE-331 - Insufficient Entropy

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS