CVE-2024-58134

Exploit

EPSS 0.3%
Veröffentlicht 03.05.2025 16:15:19
Zuletzt bearbeitet 20.10.2025 20:15:36
Quelle 9b29abf9-4ab0-4765-b253-1875cd
CVE-Watchlists
Login
Unerledigt
Login

Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application's class name, as an HMAC session cookie secret by default.

These predictable default secrets can be exploited by an attacker to forge session cookies.  An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 2 Referenzen 14

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Mojolicious ≫ Mojolicious SwPlatformperl Version >= 0.999922 <= 9.40

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.3%	0.525

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	8.1	2.8	5.2	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE-321 Use of Hard-coded Cryptographic Key

The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.

CWE-331 Insufficient Entropy

The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.

https://github.com/mojolicious/mojo/pull/2200

Patch

Issue Tracking

https://github.com/hashcat/hashcat/pull/4090

Patch

Issue Tracking

https://github.com/mojolicious/mojo/pull/1791

Patch

Issue Tracking

https://medium.com/securing/baking-mojolicious-cookies-revisited-a-case-study-of-solving-security-problems-through-security-by-13da7c225802

Third Party Advisory

https://metacpan.org/release/SRI/Mojolicious-9.39/source/lib/Mojolicious.pm#L51