GHSA-3R5V-GMFP-3MH9

Vulnerability from github – Published: 2025-05-03 12:30 – Updated: 2025-10-20 21:30
VLAI?
Details

Mojolicious versions from 7.28 through 9.39 for Perl may generate weak HMAC session secrets.

When creating a default app with the "mojo generate app" tool, a weak secret is written to the application's configuration file using the insecure rand() function, and used for authenticating and protecting the integrity of the application's sessions. This may allow an attacker to brute force the application's session keys.

Severity ?
5.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2024-58135"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-338"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-03T11:15:48Z",
    "severity": "MODERATE"
  },
  "details": "Mojolicious versions from 7.28 through 9.39 for Perl may generate weak HMAC session secrets.\n\nWhen creating a default app with the \"mojo generate app\" tool, a weak secret is written to the application\u0027s configuration file using the insecure rand() function, and used for authenticating and protecting the integrity of the application\u0027s sessions. This may allow an attacker to brute force the application\u0027s session keys.",
  "id": "GHSA-3r5v-gmfp-3mh9",
  "modified": "2025-10-20T21:30:27Z",
  "published": "2025-05-03T12:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-58135"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hashcat/hashcat/pull/4090"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mojolicious/mojo/pull/2200"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-perl/2025/05/msg00016.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-perl/2025/05/msg00017.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-perl/2025/05/msg00018.html"
    },
    {
      "type": "WEB",
      "url": "https://metacpan.org/release/SRI/Mojolicious-7.28/source/lib/Mojolicious/Command/generate/app.pm#L220"
    },
    {
      "type": "WEB",
      "url": "https://metacpan.org/release/SRI/Mojolicious-9.38/source/lib/Mojolicious/Command/Author/generate/app.pm#L202"
    },
    {
      "type": "WEB",
      "url": "https://metacpan.org/release/SRI/Mojolicious-9.39/source/lib/Mojo/Util.pm#L181"
    },
    {
      "type": "WEB",
      "url": "https://perldoc.perl.org/functions/rand"
    },
    {
      "type": "WEB",
      "url": "https://security.metacpan.org/docs/guides/random-data-for-security.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.