CVE-2024-58134 (GCVE-0-2024-58134)
Vulnerability from cvelistv5
Published
2025-05-03 16:08
Modified
2025-05-12 18:10
Severity ?
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CWE
  • CWE-321 - Use of Hard-coded Cryptographic Key
  • CWE-331 - Insufficient Entropy
Summary
Mojolicious versions from 0.999922 through 9.40 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default. These predictable default secrets can be exploited to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session.
References
Impacted products
Vendor Product Version
SRI Mojolicious Version: 0.999922   <
Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 8.1,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-58134",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-12T15:57:49.444238Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-12T16:00:28.464Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://cpan.org/modules",
          "defaultStatus": "unaffected",
          "packageName": "Mojolicious",
          "product": "Mojolicious",
          "programFiles": [
            "lib/Mojolicious.pm"
          ],
          "programRoutines": [
            {
              "name": "secrets()"
            }
          ],
          "repo": "https://github.com/mojolicious/mojo",
          "vendor": "SRI",
          "versions": [
            {
              "lessThanOrEqual": "9.40",
              "status": "affected",
              "version": "0.999922",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "analyst",
          "value": "Antoine Cervoise from Synacktiv"
        },
        {
          "lang": "en",
          "type": "analyst",
          "value": "Jakub Kramarz"
        },
        {
          "lang": "en",
          "type": "analyst",
          "value": "Lukas Atkinson"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Mojolicious versions from 0.999922 through 9.40 for Perl uses a hard coded string, or the application\u0027s class name, as a HMAC session secret by default.\u003cbr\u003e\u003cbr\u003eThese predictable default secrets can be exploited to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user\u2019s session.\u003cbr\u003e"
            }
          ],
          "value": "Mojolicious versions from 0.999922 through 9.40 for Perl uses a hard coded string, or the application\u0027s class name, as a HMAC session secret by default.\n\nThese predictable default secrets can be exploited to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user\u2019s session."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-321",
              "description": "CWE-321 Use of Hard-coded Cryptographic Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-331",
              "description": "CWE-331 Insufficient Entropy",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-12T18:10:58.672Z",
        "orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
        "shortName": "CPANSec"
      },
      "references": [
        {
          "url": "https://github.com/mojolicious/mojo/pull/1791"
        },
        {
          "url": "https://github.com/mojolicious/mojo/pull/2200"
        },
        {
          "url": "https://www.synacktiv.com/publications/baking-mojolicious-cookies"
        },
        {
          "url": "https://medium.com/securing/baking-mojolicious-cookies-revisited-a-case-study-of-solving-security-problems-through-security-by-13da7c225802"
        },
        {
          "url": "https://metacpan.org/release/SRI/Mojolicious-9.39/source/lib/Mojolicious.pm#L51"
        },
        {
          "url": "https://github.com/hashcat/hashcat/pull/4090"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Mojolicious versions from 0.999922 through 9.40 for Perl uses a hard coded string, or the application\u0027s class name, as a HMAC session secret by default",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Ensure that your Mojolicious application uses a unique secret of at least 128 bit of cryptographically secure random data. For example, to generate a 256 bit secret, one could use the output generated by the \"openssl rand -base64 32\" command.\u003cbr\u003e"
            }
          ],
          "value": "Ensure that your Mojolicious application uses a unique secret of at least 128 bit of cryptographically secure random data. For example, to generate a 256 bit secret, one could use the output generated by the \"openssl rand -base64 32\" command."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
    "assignerShortName": "CPANSec",
    "cveId": "CVE-2024-58134",
    "datePublished": "2025-05-03T16:08:55.042Z",
    "dateReserved": "2025-04-07T16:06:37.226Z",
    "dateUpdated": "2025-05-12T18:10:58.672Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-58134\",\"sourceIdentifier\":\"9b29abf9-4ab0-4765-b253-1875cd9b441e\",\"published\":\"2025-05-03T16:15:19.310\",\"lastModified\":\"2025-06-17T14:15:38.223\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Mojolicious versions from 0.999922 through 9.40 for Perl uses a hard coded string, or the application\u0027s class name, as a HMAC session secret by default.\\n\\nThese predictable default secrets can be exploited to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user\u2019s session.\"},{\"lang\":\"es\",\"value\":\"Las versiones de Mojolicious de la 0.999922 a la 9.39 para Perl utilizan una cadena de c\u00f3digo fijo, o el nombre de la clase de la aplicaci\u00f3n, como secreto de sesi\u00f3n HMAC por defecto. Estos secretos predeterminados predecibles pueden explotarse para falsificar cookies de sesi\u00f3n. Un atacante que conozca o adivine el secreto podr\u00eda calcular firmas HMAC v\u00e1lidas para la cookie de sesi\u00f3n, lo que le permitir\u00eda manipular o secuestrar la sesi\u00f3n de otro usuario.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"9b29abf9-4ab0-4765-b253-1875cd9b441e\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-321\"},{\"lang\":\"en\",\"value\":\"CWE-331\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mojolicious:mojolicious:*:*:*:*:*:perl:*:*\",\"versionStartIncluding\":\"0.999922\",\"versionEndIncluding\":\"9.40\",\"matchCriteriaId\":\"007066BB-83B9-4F4C-BAAB-261837197373\"}]}]}],\"references\":[{\"url\":\"https://github.com/hashcat/hashcat/pull/4090\",\"source\":\"9b29abf9-4ab0-4765-b253-1875cd9b441e\",\"tags\":[\"Issue Tracking\",\"Patch\"]},{\"url\":\"https://github.com/mojolicious/mojo/pull/1791\",\"source\":\"9b29abf9-4ab0-4765-b253-1875cd9b441e\",\"tags\":[\"Issue Tracking\",\"Patch\"]},{\"url\":\"https://github.com/mojolicious/mojo/pull/2200\",\"source\":\"9b29abf9-4ab0-4765-b253-1875cd9b441e\",\"tags\":[\"Issue Tracking\",\"Patch\"]},{\"url\":\"https://medium.com/securing/baking-mojolicious-cookies-revisited-a-case-study-of-solving-security-problems-through-security-by-13da7c225802\",\"source\":\"9b29abf9-4ab0-4765-b253-1875cd9b441e\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://metacpan.org/release/SRI/Mojolicious-9.39/source/lib/Mojolicious.pm#L51\",\"source\":\"9b29abf9-4ab0-4765-b253-1875cd9b441e\",\"tags\":[\"Product\"]},{\"url\":\"https://www.synacktiv.com/publications/baking-mojolicious-cookies\",\"source\":\"9b29abf9-4ab0-4765-b253-1875cd9b441e\",\"tags\":[\"Exploit\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-58134\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-05-12T15:57:49.444238Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-05-12T16:00:24.352Z\"}}], \"cna\": {\"title\": \"Mojolicious versions from 0.999922 through 9.40 for Perl uses a hard coded string, or the application\u0027s class name, as a HMAC session secret by default\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"analyst\", \"value\": \"Antoine Cervoise from Synacktiv\"}, {\"lang\": \"en\", \"type\": \"analyst\", \"value\": \"Jakub Kramarz\"}, {\"lang\": \"en\", \"type\": \"analyst\", \"value\": \"Lukas Atkinson\"}], \"affected\": [{\"repo\": \"https://github.com/mojolicious/mojo\", \"vendor\": \"SRI\", \"product\": \"Mojolicious\", \"versions\": [{\"status\": \"affected\", \"version\": \"0.999922\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"9.40\"}], \"packageName\": \"Mojolicious\", \"programFiles\": [\"lib/Mojolicious.pm\"], \"collectionURL\": \"https://cpan.org/modules\", \"defaultStatus\": \"unaffected\", \"programRoutines\": [{\"name\": \"secrets()\"}]}], \"references\": [{\"url\": \"https://github.com/mojolicious/mojo/pull/1791\"}, {\"url\": \"https://github.com/mojolicious/mojo/pull/2200\"}, {\"url\": \"https://www.synacktiv.com/publications/baking-mojolicious-cookies\"}, {\"url\": \"https://medium.com/securing/baking-mojolicious-cookies-revisited-a-case-study-of-solving-security-problems-through-security-by-13da7c225802\"}, {\"url\": \"https://metacpan.org/release/SRI/Mojolicious-9.39/source/lib/Mojolicious.pm#L51\"}, {\"url\": \"https://github.com/hashcat/hashcat/pull/4090\"}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"Ensure that your Mojolicious application uses a unique secret of at least 128 bit of cryptographically secure random data. For example, to generate a 256 bit secret, one could use the output generated by the \\\"openssl rand -base64 32\\\" command.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Ensure that your Mojolicious application uses a unique secret of at least 128 bit of cryptographically secure random data. For example, to generate a 256 bit secret, one could use the output generated by the \\\"openssl rand -base64 32\\\" command.\u003cbr\u003e\", \"base64\": false}]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Mojolicious versions from 0.999922 through 9.40 for Perl uses a hard coded string, or the application\u0027s class name, as a HMAC session secret by default.\\n\\nThese predictable default secrets can be exploited to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user\\u2019s session.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Mojolicious versions from 0.999922 through 9.40 for Perl uses a hard coded string, or the application\u0027s class name, as a HMAC session secret by default.\u003cbr\u003e\u003cbr\u003eThese predictable default secrets can be exploited to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user\\u2019s session.\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-321\", \"description\": \"CWE-321 Use of Hard-coded Cryptographic Key\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-331\", \"description\": \"CWE-331 Insufficient Entropy\"}]}], \"providerMetadata\": {\"orgId\": \"9b29abf9-4ab0-4765-b253-1875cd9b441e\", \"shortName\": \"CPANSec\", \"dateUpdated\": \"2025-05-12T18:10:58.672Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-58134\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-12T18:10:58.672Z\", \"dateReserved\": \"2025-04-07T16:06:37.226Z\", \"assignerOrgId\": \"9b29abf9-4ab0-4765-b253-1875cd9b441e\", \"datePublished\": \"2025-05-03T16:08:55.042Z\", \"assignerShortName\": \"CPANSec\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.