CVE-2024-56830: 
Linux Debian vulnerability analysis and mitigation

The Net::EasyTCP package versions 0.15 through 0.26 for Perl contains a cryptographic vulnerability identified as CVE-2024-56830. The vulnerability was discovered and disclosed on January 2, 2025, affecting the package's random number generation functionality. The issue stems from the package's fallback behavior of using Perl's built-in rand() function when no strong randomization module is present (NVD, MITRE).

The vulnerability is classified with a CVSS v3.1 Base Score of 5.4 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N. The issue is categorized under CWE-338 (Use of Cryptographically Weak Pseudo-Random Number Generator). The core problem lies in the package's fallback mechanism to Perl's built-in rand() function when the Crypt::Random module is not available, potentially compromising the cryptographic security of applications using this package (NVD).

The use of a cryptographically weak random number generator (Perl's built-in rand()) can potentially compromise the security of applications relying on Net::EasyTCP for secure communications. This weakness could lead to predictable random numbers being generated, potentially affecting encryption key generation and other security-critical operations (NVD).

The issue was first addressed in version 0.15 with the implementation of a stronger number generator (Crypt::Random). However, the fix was incomplete as the package still falls back to the insecure rand() function when Crypt::Random is not available. Users should ensure that the Crypt::Random module is installed and available in their Perl environment to avoid the fallback to the insecure rand() function (METACPAN).