← Zuruck zu CVEs
CVE-2024-58134
HIGH8.1
Beschreibung
Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application's class name, as an HMAC session cookie secret by default. These predictable default secrets can be exploited by an attacker to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session.
CVE Details
CVSS v3.1 Bewertung8.1
SchweregradHIGH
CVSS VektorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
AngriffsvektorNETWORK
KomplexitatLOW
Erforderliche PrivilegienLOW
BenutzerinteraktionNONE
Veroffentlicht5/3/2025
Zuletzt geandert10/20/2025
Quellenvd
Honeypot-Sichtungen0
Betroffene Produkte
mojolicious:mojolicious
Schwachen (CWE)
CWE-321CWE-331
Referenzen
https://docs.mojolicious.org/Mojolicious/Guides/FAQ#What-does-Your-secret-passphrase-needs-to-be-changed-mean(9b29abf9-4ab0-4765-b253-1875cd9b441e)
https://github.com/hashcat/hashcat/pull/4090(9b29abf9-4ab0-4765-b253-1875cd9b441e)
https://github.com/mojolicious/mojo/pull/1791(9b29abf9-4ab0-4765-b253-1875cd9b441e)
https://github.com/mojolicious/mojo/pull/2200(9b29abf9-4ab0-4765-b253-1875cd9b441e)
https://github.com/mojolicious/mojo/pull/2252(9b29abf9-4ab0-4765-b253-1875cd9b441e)
https://lists.debian.org/debian-perl/2025/05/msg00016.html(9b29abf9-4ab0-4765-b253-1875cd9b441e)
https://lists.debian.org/debian-perl/2025/05/msg00017.html(9b29abf9-4ab0-4765-b253-1875cd9b441e)
https://lists.debian.org/debian-perl/2025/05/msg00018.html(9b29abf9-4ab0-4765-b253-1875cd9b441e)
https://medium.com/securing/baking-mojolicious-cookies-revisited-a-case-study-of-solving-security-problems-through-security-by-13da7c225802(9b29abf9-4ab0-4765-b253-1875cd9b441e)
https://metacpan.org/release/SRI/Mojolicious-9.39/source/lib/Mojolicious.pm#L51(9b29abf9-4ab0-4765-b253-1875cd9b441e)
https://www.synacktiv.com/publications/baking-mojolicious-cookies(9b29abf9-4ab0-4765-b253-1875cd9b441e)
IOC Korrelationen
Keine Korrelationen erfasst
This product uses data from the NVD API but is not endorsed or certified by the NVD.