← Volver a CVEs
CVE-2024-58134
HIGH8.1
Descripcion
Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application's class name, as an HMAC session cookie secret by default. These predictable default secrets can be exploited by an attacker to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session.
Detalles CVE
Puntuacion CVSS v3.18.1
SeveridadHIGH
Vector CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Vector de ataqueNETWORK
ComplejidadLOW
Privilegios requeridosLOW
Interaccion usuarioNONE
Publicado5/3/2025
Ultima modificacion10/20/2025
Fuentenvd
Avistamientos honeypot0
Productos afectados
mojolicious:mojolicious
Debilidades (CWE)
CWE-321CWE-331
Referencias
https://docs.mojolicious.org/Mojolicious/Guides/FAQ#What-does-Your-secret-passphrase-needs-to-be-changed-mean(9b29abf9-4ab0-4765-b253-1875cd9b441e)
https://github.com/hashcat/hashcat/pull/4090(9b29abf9-4ab0-4765-b253-1875cd9b441e)
https://github.com/mojolicious/mojo/pull/1791(9b29abf9-4ab0-4765-b253-1875cd9b441e)
https://github.com/mojolicious/mojo/pull/2200(9b29abf9-4ab0-4765-b253-1875cd9b441e)
https://github.com/mojolicious/mojo/pull/2252(9b29abf9-4ab0-4765-b253-1875cd9b441e)
https://lists.debian.org/debian-perl/2025/05/msg00016.html(9b29abf9-4ab0-4765-b253-1875cd9b441e)
https://lists.debian.org/debian-perl/2025/05/msg00017.html(9b29abf9-4ab0-4765-b253-1875cd9b441e)
https://lists.debian.org/debian-perl/2025/05/msg00018.html(9b29abf9-4ab0-4765-b253-1875cd9b441e)
https://medium.com/securing/baking-mojolicious-cookies-revisited-a-case-study-of-solving-security-problems-through-security-by-13da7c225802(9b29abf9-4ab0-4765-b253-1875cd9b441e)
https://metacpan.org/release/SRI/Mojolicious-9.39/source/lib/Mojolicious.pm#L51(9b29abf9-4ab0-4765-b253-1875cd9b441e)
https://www.synacktiv.com/publications/baking-mojolicious-cookies(9b29abf9-4ab0-4765-b253-1875cd9b441e)
Correlaciones IOC
Sin correlaciones registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.