CVE-2024-58134

{"id": "CVE-2024-58134", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.8}]}, "published": "2025-05-03T16:15:19.310", "references": [{"url": "https://github.com/hashcat/hashcat/pull/4090", "tags": ["Issue Tracking", "Patch"], "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}, {"url": "https://github.com/mojolicious/mojo/pull/1791", "tags": ["Issue Tracking", "Patch"], "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}, {"url": "https://github.com/mojolicious/mojo/pull/2200", "tags": ["Issue Tracking", "Patch"], "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}, {"url": "https://medium.com/securing/baking-mojolicious-cookies-revisited-a-case-study-of-solving-security-problems-through-security-by-13da7c225802", "tags": ["Third Party Advisory"], "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}, {"url": "https://metacpan.org/release/SRI/Mojolicious-9.39/source/lib/Mojolicious.pm#L51", "tags": ["Product"], "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}, {"url": "https://www.synacktiv.com/publications/baking-mojolicious-cookies", "tags": ["Exploit"], "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "description": [{"lang": "en", "value": "CWE-321"}, {"lang": "en", "value": "CWE-331"}]}], "descriptions": [{"lang": "en", "value": "Mojolicious versions from 0.999922 through 9.40 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default.\n\nThese predictable default secrets can be exploited to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user\u2019s session."}, {"lang": "es", "value": "Las versiones de Mojolicious de la 0.999922 a la 9.39 para Perl utilizan una cadena de c\u00f3digo fijo, o el nombre de la clase de la aplicaci\u00f3n, como secreto de sesi\u00f3n HMAC por defecto. Estos secretos predeterminados predecibles pueden explotarse para falsificar cookies de sesi\u00f3n. Un atacante que conozca o adivine el secreto podr\u00eda calcular firmas HMAC v\u00e1lidas para la cookie de sesi\u00f3n, lo que le permitir\u00eda manipular o secuestrar la sesi\u00f3n de otro usuario."}], "lastModified": "2025-06-17T14:15:38.223", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mojolicious:mojolicious:*:*:*:*:*:perl:*:*", "vulnerable": true, "matchCriteriaId": "007066BB-83B9-4F4C-BAAB-261837197373", "versionEndIncluding": "9.40", "versionStartIncluding": "0.999922"}], "operator": "OR"}]}], "sourceIdentifier": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}