CVE-2024-58134
8.1
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Exploitability: 2.8 / Impact: 5.2
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
Description
Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application's class name, as an HMAC session cookie secret by default.
These predictable default secrets can be exploited by an attacker to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session.
Affected (1)
Products: Mojolicious: Mojolicious
Configuration A
| Vulnerable Software | Affected Versions |
|---|---|
| From 0.999922 to 9.40 |
Related CWEs
CWE-321
Use of Hard-coded Cryptographic Key
The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.
CWE-331
Insufficient Entropy
The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.
References (11)
Source: 9b29abf9-4ab0-4765-b253-1875cd9b441e
Source: 9b29abf9-4ab0-4765-b253-1875cd9b441e
Issue TrackingPatch
Source: 9b29abf9-4ab0-4765-b253-1875cd9b441e
Issue TrackingPatch
Source: 9b29abf9-4ab0-4765-b253-1875cd9b441e
Issue TrackingPatch
Source: 9b29abf9-4ab0-4765-b253-1875cd9b441e
Source: 9b29abf9-4ab0-4765-b253-1875cd9b441e
Source: 9b29abf9-4ab0-4765-b253-1875cd9b441e
Source: 9b29abf9-4ab0-4765-b253-1875cd9b441e
Source: 9b29abf9-4ab0-4765-b253-1875cd9b441e
Third Party Advisory
Source: 9b29abf9-4ab0-4765-b253-1875cd9b441e
Product
Source: 9b29abf9-4ab0-4765-b253-1875cd9b441e
Exploit
Timeline
No history available yet.