fkie_cve-2024-58135
Vulnerability from fkie_nvd
Published
2025-05-03 11:15
Modified
2025-06-17 14:16
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
Mojolicious versions from 7.28 through 9.40 for Perl may generate weak HMAC session secrets. When creating a default app with the "mojo generate app" tool, a weak secret is written to the application's configuration file using the insecure rand() function, and used for authenticating and protecting the integrity of the application's sessions. This may allow an attacker to brute force the application's session keys.
References
9b29abf9-4ab0-4765-b253-1875cd9b441ehttps://github.com/hashcat/hashcat/pull/4090Issue Tracking, Patch
9b29abf9-4ab0-4765-b253-1875cd9b441ehttps://github.com/mojolicious/mojo/pull/2200Exploit, Issue Tracking, Patch
9b29abf9-4ab0-4765-b253-1875cd9b441ehttps://metacpan.org/release/SRI/Mojolicious-7.28/source/lib/Mojolicious/Command/generate/app.pm#L220Product
9b29abf9-4ab0-4765-b253-1875cd9b441ehttps://metacpan.org/release/SRI/Mojolicious-9.38/source/lib/Mojolicious/Command/Author/generate/app.pm#L202Product
9b29abf9-4ab0-4765-b253-1875cd9b441ehttps://metacpan.org/release/SRI/Mojolicious-9.39/source/lib/Mojo/Util.pm#L181Product
9b29abf9-4ab0-4765-b253-1875cd9b441ehttps://perldoc.perl.org/functions/randProduct
9b29abf9-4ab0-4765-b253-1875cd9b441ehttps://security.metacpan.org/docs/guides/random-data-for-security.htmlTechnical Description
Impacted products
Vendor Product Version
mojolicious mojolicious *


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:mojolicious:mojolicious:*:*:*:*:*:perl:*:*",
              "matchCriteriaId": "18CB7F71-95D5-44DC-BD63-01394CC408B4",
              "versionEndIncluding": "9.40",
              "versionStartIncluding": "7.28",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Mojolicious versions from 7.28 through 9.40 for Perl may generate weak HMAC session secrets.\n\nWhen creating a default app with the \"mojo generate app\" tool, a weak secret is written to the application\u0027s configuration file using the insecure rand() function, and used for authenticating and protecting the integrity of the application\u0027s sessions. This may allow an attacker to brute force the application\u0027s session keys."
    },
    {
      "lang": "es",
      "value": "Las versiones de Mojolicious de la 7.28 a la 9.39 para Perl pueden generar secretos de sesi\u00f3n HMAC d\u00e9biles. Al crear una aplicaci\u00f3n predeterminada con la herramienta \"mojo generate app\", se escribe un secreto d\u00e9bil en el archivo de configuraci\u00f3n de la aplicaci\u00f3n mediante la funci\u00f3n insegura rand(), que se utiliza para autenticar y proteger la integridad de las sesiones de la aplicaci\u00f3n. Esto podr\u00eda permitir a un atacante acceder por fuerza bruta a las claves de sesi\u00f3n de la aplicaci\u00f3n."
    }
  ],
  "id": "CVE-2024-58135",
  "lastModified": "2025-06-17T14:16:05.757",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-05-03T11:15:48.037",
  "references": [
    {
      "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
      "tags": [
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://github.com/hashcat/hashcat/pull/4090"
    },
    {
      "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
      "tags": [
        "Exploit",
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://github.com/mojolicious/mojo/pull/2200"
    },
    {
      "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
      "tags": [
        "Product"
      ],
      "url": "https://metacpan.org/release/SRI/Mojolicious-7.28/source/lib/Mojolicious/Command/generate/app.pm#L220"
    },
    {
      "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
      "tags": [
        "Product"
      ],
      "url": "https://metacpan.org/release/SRI/Mojolicious-9.38/source/lib/Mojolicious/Command/Author/generate/app.pm#L202"
    },
    {
      "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
      "tags": [
        "Product"
      ],
      "url": "https://metacpan.org/release/SRI/Mojolicious-9.39/source/lib/Mojo/Util.pm#L181"
    },
    {
      "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
      "tags": [
        "Product"
      ],
      "url": "https://perldoc.perl.org/functions/rand"
    },
    {
      "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
      "tags": [
        "Technical Description"
      ],
      "url": "https://security.metacpan.org/docs/guides/random-data-for-security.html"
    }
  ],
  "sourceIdentifier": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-338"
        }
      ],
      "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-338"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.