FKIE_CVE-2024-58134

Vulnerability from fkie_nvd - Published: 2025-05-03 16:15 - Updated: 2025-10-20 20:15
Severity ?
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Summary
Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application's class name, as an HMAC session cookie secret by default. These predictable default secrets can be exploited by an attacker to forge session cookies.  An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session.
References
9b29abf9-4ab0-4765-b253-1875cd9b441ehttps://docs.mojolicious.org/Mojolicious/Guides/FAQ#What-does-Your-secret-passphrase-needs-to-be-changed-mean
9b29abf9-4ab0-4765-b253-1875cd9b441ehttps://github.com/hashcat/hashcat/pull/4090Issue Tracking, Patch
9b29abf9-4ab0-4765-b253-1875cd9b441ehttps://github.com/mojolicious/mojo/pull/1791Issue Tracking, Patch
9b29abf9-4ab0-4765-b253-1875cd9b441ehttps://github.com/mojolicious/mojo/pull/2200Issue Tracking, Patch
9b29abf9-4ab0-4765-b253-1875cd9b441ehttps://github.com/mojolicious/mojo/pull/2252
9b29abf9-4ab0-4765-b253-1875cd9b441ehttps://lists.debian.org/debian-perl/2025/05/msg00016.html
9b29abf9-4ab0-4765-b253-1875cd9b441ehttps://lists.debian.org/debian-perl/2025/05/msg00017.html
9b29abf9-4ab0-4765-b253-1875cd9b441ehttps://lists.debian.org/debian-perl/2025/05/msg00018.html
9b29abf9-4ab0-4765-b253-1875cd9b441ehttps://medium.com/securing/baking-mojolicious-cookies-revisited-a-case-study-of-solving-security-problems-through-security-by-13da7c225802Third Party Advisory
9b29abf9-4ab0-4765-b253-1875cd9b441ehttps://metacpan.org/release/SRI/Mojolicious-9.39/source/lib/Mojolicious.pm#L51Product
9b29abf9-4ab0-4765-b253-1875cd9b441ehttps://www.synacktiv.com/publications/baking-mojolicious-cookiesExploit
Impacted products
Vendor Product Version
mojolicious mojolicious *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:mojolicious:mojolicious:*:*:*:*:*:perl:*:*",
              "matchCriteriaId": "007066BB-83B9-4F4C-BAAB-261837197373",
              "versionEndIncluding": "9.40",
              "versionStartIncluding": "0.999922",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application\u0027s class name, as an HMAC session cookie secret by default.\n\nThese predictable default secrets can be exploited by an attacker to forge session cookies.\u00a0 An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user\u2019s session."
    },
    {
      "lang": "es",
      "value": "Las versiones de Mojolicious de la 0.999922 a la 9.39 para Perl utilizan una cadena de c\u00f3digo fijo, o el nombre de la clase de la aplicaci\u00f3n, como secreto de sesi\u00f3n HMAC por defecto. Estos secretos predeterminados predecibles pueden explotarse para falsificar cookies de sesi\u00f3n. Un atacante que conozca o adivine el secreto podr\u00eda calcular firmas HMAC v\u00e1lidas para la cookie de sesi\u00f3n, lo que le permitir\u00eda manipular o secuestrar la sesi\u00f3n de otro usuario."
    }
  ],
  "id": "CVE-2024-58134",
  "lastModified": "2025-10-20T20:15:36.697",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.2,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-05-03T16:15:19.310",
  "references": [
    {
      "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
      "url": "https://docs.mojolicious.org/Mojolicious/Guides/FAQ#What-does-Your-secret-passphrase-needs-to-be-changed-mean"
    },
    {
      "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
      "tags": [
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://github.com/hashcat/hashcat/pull/4090"
    },
    {
      "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
      "tags": [
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://github.com/mojolicious/mojo/pull/1791"
    },
    {
      "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
      "tags": [
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://github.com/mojolicious/mojo/pull/2200"
    },
    {
      "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
      "url": "https://github.com/mojolicious/mojo/pull/2252"
    },
    {
      "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
      "url": "https://lists.debian.org/debian-perl/2025/05/msg00016.html"
    },
    {
      "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
      "url": "https://lists.debian.org/debian-perl/2025/05/msg00017.html"
    },
    {
      "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
      "url": "https://lists.debian.org/debian-perl/2025/05/msg00018.html"
    },
    {
      "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://medium.com/securing/baking-mojolicious-cookies-revisited-a-case-study-of-solving-security-problems-through-security-by-13da7c225802"
    },
    {
      "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
      "tags": [
        "Product"
      ],
      "url": "https://metacpan.org/release/SRI/Mojolicious-9.39/source/lib/Mojolicious.pm#L51"
    },
    {
      "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
      "tags": [
        "Exploit"
      ],
      "url": "https://www.synacktiv.com/publications/baking-mojolicious-cookies"
    }
  ],
  "sourceIdentifier": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-321"
        },
        {
          "lang": "en",
          "value": "CWE-331"
        }
      ],
      "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.