CVE-2024-58134

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-58134
Mojolicious versions from 0.999922 through 9.40 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default. These predictable default secrets can be exploited to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session.

8.1 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/hashcat/hashcat/pull/4090
https://github.com/mojolicious/mojo/pull/1791
https://github.com/mojolicious/mojo/pull/2200
https://medium.com/securing/baking-mojolicious-cookies-revisited-a-case-study-of-solving-security-problems-through-security-by-13da7c225802
https://metacpan.org/release/SRI/Mojolicious-9.39/source/lib/Mojolicious.pm#L51
https://www.synacktiv.com/publications/baking-mojolicious-cookies
Configurations

No configuration.

History

12 May 2025, 19:15

Type Values Removed Values Added
Summary (en) Mojolicious versions from 0.999922 through 9.39 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default. These predictable default secrets can be exploited to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session. (en) Mojolicious versions from 0.999922 through 9.40 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default. These predictable default secrets can be exploited to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session.

12 May 2025, 16:15

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 8.1

05 May 2025, 20:54

Type Values Removed Values Added
Summary
  • (es) Las versiones de Mojolicious de la 0.999922 a la 9.39 para Perl utilizan una cadena de código fijo, o el nombre de la clase de la aplicación, como secreto de sesión HMAC por defecto. Estos secretos predeterminados predecibles pueden explotarse para falsificar cookies de sesión. Un atacante que conozca o adivine el secreto podría calcular firmas HMAC válidas para la cookie de sesión, lo que le permitiría manipular o secuestrar la sesión de otro usuario.

03 May 2025, 16:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-05-03 16:15

Updated : 2025-05-12 19:15

NVD link : CVE-2024-58134

Mitre link : CVE-2024-58134

CVE.ORG link : CVE-2024-58134

JSON object : View

Products Affected

No product.

CWE
CWE-321

Use of Hard-coded Cryptographic Key

CWE-331

Insufficient Entropy