CVE-2024-58134

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-58134

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-58134.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2024-58134

Related

UBUNTU-CVE-2024-58134

Published

2025-05-03T16:15:19Z

Modified

2025-05-12T20:53:05.517601Z

Summary

[none]

Details

Mojolicious versions from 0.999922 through 9.40 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default.

These predictable default secrets can be exploited to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session.

References

Affected packages

Debian:11 / libmojolicious-perl

Package

Name: libmojolicious-perl
Purl: pkg:deb/debian/libmojolicious-perl?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

8.*

8.71+dfsg-1

9.*

9.21+dfsg-1

9.21+dfsg-2

9.22+dfsg-1

9.22+dfsg-2

9.23+dfsg-1

9.24+dfsg-1

9.25+dfsg-1

9.26+dfsg-1

9.27+dfsg-1

9.28+dfsg-1

9.31+dfsg-1

9.33+dfsg-1

9.34+dfsg-1

9.35+dfsg-1

9.36+dfsg-1~bpo12+2

9.36+dfsg-1

9.37+dfsg-1

9.37+dfsg-2~bpo12+1

9.37+dfsg-2

9.38+dfsg-1

9.39+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / libmojolicious-perl

Package

Name: libmojolicious-perl
Purl: pkg:deb/debian/libmojolicious-perl?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

9.*

9.31+dfsg-1

9.33+dfsg-1

9.34+dfsg-1

9.35+dfsg-1

9.36+dfsg-1~bpo12+2

9.36+dfsg-1

9.37+dfsg-1

9.37+dfsg-2~bpo12+1

9.37+dfsg-2

9.38+dfsg-1

9.39+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / libmojolicious-perl

Package

Name: libmojolicious-perl
Purl: pkg:deb/debian/libmojolicious-perl?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

9.*

9.31+dfsg-1

9.33+dfsg-1

9.34+dfsg-1

9.35+dfsg-1

9.36+dfsg-1~bpo12+2

9.36+dfsg-1

9.37+dfsg-1

9.37+dfsg-2~bpo12+1

9.37+dfsg-2

9.38+dfsg-1

9.39+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}