CVE-2024-58135 (GCVE-0-2024-58135)
Vulnerability from cvelistv5
Published
2025-05-03 10:16
Modified
2025-05-12 18:11
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE
  • CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Summary
Mojolicious versions from 7.28 through 9.40 for Perl may generate weak HMAC session secrets. When creating a default app with the "mojo generate app" tool, a weak secret is written to the application's configuration file using the insecure rand() function, and used for authenticating and protecting the integrity of the application's sessions. This may allow an attacker to brute force the application's session keys.
References
Impacted products
Vendor Product Version
SRI Mojolicious Version: 7.28   <
Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 5.3,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-58135",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-05T17:58:51.652027Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-338",
                "description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-07T19:06:35.967Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://cpan.org/modules",
          "defaultStatus": "unaffected",
          "packageName": "Mojolicious",
          "product": "Mojolicious",
          "programFiles": [
            "lib/Mojolicious/Command/Author/generate/app.pm",
            "lib/Mojo/Util.pm",
            "lib/Mojolicious/Command/generate/app.pm"
          ],
          "programRoutines": [
            {
              "name": "Mojolicious::Command::Author::generate::app::run()"
            },
            {
              "name": "Mojo::Util::generate_secret()"
            }
          ],
          "repo": "https://github.com/mojolicious/mojo",
          "vendor": "SRI",
          "versions": [
            {
              "lessThanOrEqual": "9.40",
              "status": "affected",
              "version": "7.28",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Mojolicious versions from 7.28 through 9.40 for Perl may generate weak HMAC session secrets.\u003cbr\u003e\u003cbr\u003eWhen creating a default app with the \"mojo generate app\" tool, a weak secret is written to the application\u0027s configuration file using the insecure rand() function, and used for authenticating and protecting the integrity of the application\u0027s sessions. This may allow an attacker to brute force the application\u0027s session keys."
            }
          ],
          "value": "Mojolicious versions from 7.28 through 9.40 for Perl may generate weak HMAC session secrets.\n\nWhen creating a default app with the \"mojo generate app\" tool, a weak secret is written to the application\u0027s configuration file using the insecure rand() function, and used for authenticating and protecting the integrity of the application\u0027s sessions. This may allow an attacker to brute force the application\u0027s session keys."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-338",
              "description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-12T18:11:07.373Z",
        "orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
        "shortName": "CPANSec"
      },
      "references": [
        {
          "url": "https://perldoc.perl.org/functions/rand"
        },
        {
          "url": "https://metacpan.org/release/SRI/Mojolicious-9.39/source/lib/Mojo/Util.pm#L181"
        },
        {
          "url": "https://metacpan.org/release/SRI/Mojolicious-9.38/source/lib/Mojolicious/Command/Author/generate/app.pm#L202"
        },
        {
          "url": "https://github.com/mojolicious/mojo/pull/2200"
        },
        {
          "url": "https://metacpan.org/release/SRI/Mojolicious-7.28/source/lib/Mojolicious/Command/generate/app.pm#L220"
        },
        {
          "url": "https://security.metacpan.org/docs/guides/random-data-for-security.html"
        },
        {
          "url": "https://github.com/hashcat/hashcat/pull/4090"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Mojolicious versions from 7.28 through 9.40 for Perl may generate weak HMAC session secrets",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Ensure that your secret, stored in the application\u0027s configuration file, is at least 128 bit of cryptographically secure random data. For example, to generate a 256 bit secret, one could use the output generated by the \"openssl rand -base64 32\" command."
            }
          ],
          "value": "Ensure that your secret, stored in the application\u0027s configuration file, is at least 128 bit of cryptographically secure random data. For example, to generate a 256 bit secret, one could use the output generated by the \"openssl rand -base64 32\" command."
        },
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "As of version 9.39 of Mojolicious, if a CryptX distribution of version 0.080 or later is available in the include path before calling the \"mojo generate app\" tool, then a secure 1024 bit long secret will be generated."
            }
          ],
          "value": "As of version 9.39 of Mojolicious, if a CryptX distribution of version 0.080 or later is available in the include path before calling the \"mojo generate app\" tool, then a secure 1024 bit long secret will be generated."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
    "assignerShortName": "CPANSec",
    "cveId": "CVE-2024-58135",
    "datePublished": "2025-05-03T10:16:10.636Z",
    "dateReserved": "2025-04-07T16:06:37.226Z",
    "dateUpdated": "2025-05-12T18:11:07.373Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-58135\",\"sourceIdentifier\":\"9b29abf9-4ab0-4765-b253-1875cd9b441e\",\"published\":\"2025-05-03T11:15:48.037\",\"lastModified\":\"2025-06-17T14:16:05.757\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Mojolicious versions from 7.28 through 9.40 for Perl may generate weak HMAC session secrets.\\n\\nWhen creating a default app with the \\\"mojo generate app\\\" tool, a weak secret is written to the application\u0027s configuration file using the insecure rand() function, and used for authenticating and protecting the integrity of the application\u0027s sessions. This may allow an attacker to brute force the application\u0027s session keys.\"},{\"lang\":\"es\",\"value\":\"Las versiones de Mojolicious de la 7.28 a la 9.39 para Perl pueden generar secretos de sesi\u00f3n HMAC d\u00e9biles. Al crear una aplicaci\u00f3n predeterminada con la herramienta \\\"mojo generate app\\\", se escribe un secreto d\u00e9bil en el archivo de configuraci\u00f3n de la aplicaci\u00f3n mediante la funci\u00f3n insegura rand(), que se utiliza para autenticar y proteger la integridad de las sesiones de la aplicaci\u00f3n. Esto podr\u00eda permitir a un atacante acceder por fuerza bruta a las claves de sesi\u00f3n de la aplicaci\u00f3n.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"9b29abf9-4ab0-4765-b253-1875cd9b441e\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-338\"}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-338\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mojolicious:mojolicious:*:*:*:*:*:perl:*:*\",\"versionStartIncluding\":\"7.28\",\"versionEndIncluding\":\"9.40\",\"matchCriteriaId\":\"18CB7F71-95D5-44DC-BD63-01394CC408B4\"}]}]}],\"references\":[{\"url\":\"https://github.com/hashcat/hashcat/pull/4090\",\"source\":\"9b29abf9-4ab0-4765-b253-1875cd9b441e\",\"tags\":[\"Issue Tracking\",\"Patch\"]},{\"url\":\"https://github.com/mojolicious/mojo/pull/2200\",\"source\":\"9b29abf9-4ab0-4765-b253-1875cd9b441e\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Patch\"]},{\"url\":\"https://metacpan.org/release/SRI/Mojolicious-7.28/source/lib/Mojolicious/Command/generate/app.pm#L220\",\"source\":\"9b29abf9-4ab0-4765-b253-1875cd9b441e\",\"tags\":[\"Product\"]},{\"url\":\"https://metacpan.org/release/SRI/Mojolicious-9.38/source/lib/Mojolicious/Command/Author/generate/app.pm#L202\",\"source\":\"9b29abf9-4ab0-4765-b253-1875cd9b441e\",\"tags\":[\"Product\"]},{\"url\":\"https://metacpan.org/release/SRI/Mojolicious-9.39/source/lib/Mojo/Util.pm#L181\",\"source\":\"9b29abf9-4ab0-4765-b253-1875cd9b441e\",\"tags\":[\"Product\"]},{\"url\":\"https://perldoc.perl.org/functions/rand\",\"source\":\"9b29abf9-4ab0-4765-b253-1875cd9b441e\",\"tags\":[\"Product\"]},{\"url\":\"https://security.metacpan.org/docs/guides/random-data-for-security.html\",\"source\":\"9b29abf9-4ab0-4765-b253-1875cd9b441e\",\"tags\":[\"Technical Description\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-58135\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-05-05T17:58:51.652027Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-338\", \"description\": \"CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-05-05T18:16:35.505Z\"}}], \"cna\": {\"title\": \"Mojolicious versions from 7.28 through 9.40 for Perl may generate weak HMAC session secrets\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"affected\": [{\"repo\": \"https://github.com/mojolicious/mojo\", \"vendor\": \"SRI\", \"product\": \"Mojolicious\", \"versions\": [{\"status\": \"affected\", \"version\": \"7.28\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"9.40\"}], \"packageName\": \"Mojolicious\", \"programFiles\": [\"lib/Mojolicious/Command/Author/generate/app.pm\", \"lib/Mojo/Util.pm\", \"lib/Mojolicious/Command/generate/app.pm\"], \"collectionURL\": \"https://cpan.org/modules\", \"defaultStatus\": \"unaffected\", \"programRoutines\": [{\"name\": \"Mojolicious::Command::Author::generate::app::run()\"}, {\"name\": \"Mojo::Util::generate_secret()\"}]}], \"references\": [{\"url\": \"https://perldoc.perl.org/functions/rand\"}, {\"url\": \"https://metacpan.org/release/SRI/Mojolicious-9.39/source/lib/Mojo/Util.pm#L181\"}, {\"url\": \"https://metacpan.org/release/SRI/Mojolicious-9.38/source/lib/Mojolicious/Command/Author/generate/app.pm#L202\"}, {\"url\": \"https://github.com/mojolicious/mojo/pull/2200\"}, {\"url\": \"https://metacpan.org/release/SRI/Mojolicious-7.28/source/lib/Mojolicious/Command/generate/app.pm#L220\"}, {\"url\": \"https://security.metacpan.org/docs/guides/random-data-for-security.html\"}, {\"url\": \"https://github.com/hashcat/hashcat/pull/4090\"}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"Ensure that your secret, stored in the application\u0027s configuration file, is at least 128 bit of cryptographically secure random data. For example, to generate a 256 bit secret, one could use the output generated by the \\\"openssl rand -base64 32\\\" command.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Ensure that your secret, stored in the application\u0027s configuration file, is at least 128 bit of cryptographically secure random data. For example, to generate a 256 bit secret, one could use the output generated by the \\\"openssl rand -base64 32\\\" command.\", \"base64\": false}]}, {\"lang\": \"en\", \"value\": \"As of version 9.39 of Mojolicious, if a CryptX distribution of version 0.080 or later is available in the include path before calling the \\\"mojo generate app\\\" tool, then a secure 1024 bit long secret will be generated.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"As of version 9.39 of Mojolicious, if a CryptX distribution of version 0.080 or later is available in the include path before calling the \\\"mojo generate app\\\" tool, then a secure 1024 bit long secret will be generated.\", \"base64\": false}]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Mojolicious versions from 7.28 through 9.40 for Perl may generate weak HMAC session secrets.\\n\\nWhen creating a default app with the \\\"mojo generate app\\\" tool, a weak secret is written to the application\u0027s configuration file using the insecure rand() function, and used for authenticating and protecting the integrity of the application\u0027s sessions. This may allow an attacker to brute force the application\u0027s session keys.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Mojolicious versions from 7.28 through 9.40 for Perl may generate weak HMAC session secrets.\u003cbr\u003e\u003cbr\u003eWhen creating a default app with the \\\"mojo generate app\\\" tool, a weak secret is written to the application\u0027s configuration file using the insecure rand() function, and used for authenticating and protecting the integrity of the application\u0027s sessions. This may allow an attacker to brute force the application\u0027s session keys.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-338\", \"description\": \"CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)\"}]}], \"providerMetadata\": {\"orgId\": \"9b29abf9-4ab0-4765-b253-1875cd9b441e\", \"shortName\": \"CPANSec\", \"dateUpdated\": \"2025-05-12T18:11:07.373Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-58135\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-12T18:11:07.373Z\", \"dateReserved\": \"2025-04-07T16:06:37.226Z\", \"assignerOrgId\": \"9b29abf9-4ab0-4765-b253-1875cd9b441e\", \"datePublished\": \"2025-05-03T10:16:10.636Z\", \"assignerShortName\": \"CPANSec\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.