CPANSA-Mojolicious-2024-58134: Mojolicious vulnerability

Publisher giterlizzi Document category csaf_security_advisory
Initial release date 2025-05-03T00:00:00 Engine CSAF Perl Toolkit 0.26
Current release date 2025-05-03T00:00:00 Build Date
Current version 1 Status final
CVSS v3.1 Base Score 8.1 Severity
Original language Language en
Also referred to

Vulnerability Description

Mojolicious versions from 0.999922 through 9.39 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default. These predictable default secrets can be exploited to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user's session.

Vulnerabilities

CVE-2024-58134

Vulnerability Description

Mojolicious versions from 0.999922 through 9.40 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default.

These predictable default secrets can be exploited to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session.

Weakness CWE-321 : Use of Hard-coded Cryptographic Key

Product status

Known affected
Product Score
Mojolicious greater than or equal 0.999922
CVSS Version CVSS Vector CVSS Base Score CVSS Base Severity
3.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N 8.1 High
Fixed

giterlizzi

Namespace: https://github.com/giterlizzi/

gdt@cpan.org

References

Revision history

Version Date of the revision Summary of the revision
1 Sat May 3 00:00:00 2025 First release

Sharing rules

TLP:WHITE
For the TLP version see: https://www.first.org/tlp/