CPANSA-Mojolicious-2020-01: Mojolicious vulnerability
| Publisher | giterlizzi | Document category | csaf_security_advisory |
|---|---|---|---|
| Initial release date | 2020-11-10T00:00:00 | Engine | CSAF Perl Toolkit 0.25 |
| Current release date | 2020-11-10T00:00:00 | Build Date | |
| Current version | 1 | Status | final |
| CVSS v3.1 Base Score | 7.5 | Severity | |
| Original language | Language | en | |
| Also referred to | |||
Vulnerability Description
Mojo::Util secure_compare can leak the string length. By immediately returning when the two strings are not the same length, the function allows an attacker to guess the length of the secret string using timing attacks.
Vulnerabilities
CVE-2020-36829
Vulnerability DescriptionThe Mojolicious module before 8.65 for Perl is vulnerable to secure_compare timing attacks that allow an attacker to guess the length of a secret string. Only versions after 1.74 are affected.
Product status
Known affected
| Product | Score | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Mojolicious greater than 1.74 and less than 8.65 |
|
Fixed
- Mojolicious greater than or equal 8.65
giterlizzi
Namespace: https://github.com/giterlizzi/
gdt@cpan.org
References
- CPANSA-Mojolicious-2020-01 JSON self
https://raw.githubusercontent.com/giterlizzi/perl-CPANSA-CSAF/develop/csaf/white/2020/cpansa-mojolicious-2020-01.json - https://github.com/mojolicious/mojo/pull/1601 external
https://github.com/mojolicious/mojo/pull/1601 - CVE-2020-36829 (NVD) external
https://nvd.nist.gov/vuln/detail/CVE-2020-36829
Revision history
| Version | Date of the revision | Summary of the revision |
|---|---|---|
| 1 | Tue Nov 10 00:00:00 2020 | First release |
Sharing rules
TLP:WHITE
For the TLP version see: https://www.first.org/tlp/