CVE-2024-58135

Exploit

EPSS 0.46%
Veröffentlicht 03.05.2025 10:16:10
Zuletzt bearbeitet 05.06.2026 14:16:31
Quelle 9b29abf9-4ab0-4765-b253-1875cd
CVE-Watchlists
Login
Unerledigt
Login

Mojolicious versions from 7.28 for Perl will generate weak HMAC session cookie secrets via "mojo generate app" by default

Mojolicious versions from 7.28 through 9.45 for Perl will generate weak HMAC session cookie secrets via "mojo generate app" by default.

When creating a default app skeleton with the "mojo generate app" tool, a weak secret is written to the application's configuration file using the insecure rand() function, and used for authenticating and protecting the integrity of the application's sessions. This may allow an attacker to brute force the application's session keys.

Release 9.46 fixes the issue by providing high quality randomness, even in absence of CryptX.

Users should be aware that the update does not replace previously generated weak secrets.  A secret generated with the previous version MUST be replaced to ensure the updated version is using a strong secret.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 16

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Mojolicious ≫ Mojolicious SwPlatformperl Version >= 7.28 <= 9.40

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.46%	0.36

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.

https://perldoc.perl.org/functions/rand

Product

https://security.metacpan.org/docs/guides/random-data-for-security.html

Technical Description

https://metacpan.org/release/SRI/Mojolicious-9.39/source/lib/Mojo/Util.pm#L181

Product

https://metacpan.org/release/SRI/Mojolicious-9.38/source/lib/Mojolicious/Command/Author/generate/app.pm#L202

Product

https://github.com/mojolicious/mojo/pull/2200

Patch

Exploit

Issue Tracking

https://metacpan.org/release/SRI/Mojolicious-7.28/source/lib/Mojolicious/Command/generate/app.pm#L220

Product

https://github.com/hashcat/hashcat/pull/4090

Patch

Issue Tracking

https://lists.debian.org/debian-perl/2025/05/msg00016.html

https://lists.debian.org/debian-perl/2025/05/msg00017.html

https://lists.debian.org/debian-perl/2025/05/msg00018.html

https://github.com/mojolicious/mojo/commit/789cfa43f9118852b38cbd1fd0a2596bcb9821ea.patch

https://github.com/mojolicious/mojo/commit/fb3733f92cc8a3344e6d615b3c7dac9d538eeab0.patch

https://metacpan.org/release/SRI/Mojolicious-9.46/source/Changes

https://nvd.nist.gov/vuln/detail/CVE-2024-58135

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-58135

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-58135

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-58135