CVE-2024-58135

{"id": "CVE-2024-58135", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2025-05-03T11:15:48.037", "references": [{"url": "https://github.com/hashcat/hashcat/pull/4090", "tags": ["Issue Tracking", "Patch"], "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}, {"url": "https://github.com/mojolicious/mojo/commit/789cfa43f9118852b38cbd1fd0a2596bcb9821ea.patch", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}, {"url": "https://github.com/mojolicious/mojo/commit/fb3733f92cc8a3344e6d615b3c7dac9d538eeab0.patch", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}, {"url": "https://github.com/mojolicious/mojo/pull/2200", "tags": ["Exploit", "Issue Tracking", "Patch"], "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}, {"url": "https://lists.debian.org/debian-perl/2025/05/msg00016.html", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}, {"url": "https://lists.debian.org/debian-perl/2025/05/msg00017.html", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}, {"url": "https://lists.debian.org/debian-perl/2025/05/msg00018.html", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}, {"url": "https://metacpan.org/release/SRI/Mojolicious-7.28/source/lib/Mojolicious/Command/generate/app.pm#L220", "tags": ["Product"], "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}, {"url": "https://metacpan.org/release/SRI/Mojolicious-9.38/source/lib/Mojolicious/Command/Author/generate/app.pm#L202", "tags": ["Product"], "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}, {"url": "https://metacpan.org/release/SRI/Mojolicious-9.39/source/lib/Mojo/Util.pm#L181", "tags": ["Product"], "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}, {"url": "https://metacpan.org/release/SRI/Mojolicious-9.46/source/Changes", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}, {"url": "https://perldoc.perl.org/functions/rand", "tags": ["Product"], "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}, {"url": "https://security.metacpan.org/docs/guides/random-data-for-security.html", "tags": ["Technical Description"], "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "description": [{"lang": "en", "value": "CWE-338"}]}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-338"}]}], "descriptions": [{"lang": "en", "value": "Mojolicious versions from 7.28 through 9.45 for Perl will generate weak HMAC session cookie secrets via \"mojo generate app\" by default.\n\nWhen creating a default app skeleton with the \"mojo generate app\" tool, a weak secret is written to the application's configuration file using the insecure rand() function, and used for authenticating and protecting the integrity of the application's sessions. This may allow an attacker to brute force the application's session keys.\n\nRelease 9.46 fixes the issue by providing high quality randomness, even in absence of CryptX.\n\nUsers should be aware that the update does not replace previously generated weak secrets. A secret generated with the previous version MUST be replaced to ensure the updated version is using a strong secret."}, {"lang": "es", "value": "Las versiones de Mojolicious de la 7.28 a la 9.39 para Perl pueden generar secretos de sesi\u00f3n HMAC d\u00e9biles. Al crear una aplicaci\u00f3n predeterminada con la herramienta \"mojo generate app\", se escribe un secreto d\u00e9bil en el archivo de configuraci\u00f3n de la aplicaci\u00f3n mediante la funci\u00f3n insegura rand(), que se utiliza para autenticar y proteger la integridad de las sesiones de la aplicaci\u00f3n. Esto podr\u00eda permitir a un atacante acceder por fuerza bruta a las claves de sesi\u00f3n de la aplicaci\u00f3n."}], "lastModified": "2026-06-05T14:16:31.663", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mojolicious:mojolicious:*:*:*:*:*:perl:*:*", "vulnerable": true, "matchCriteriaId": "18CB7F71-95D5-44DC-BD63-01394CC408B4", "versionEndIncluding": "9.40", "versionStartIncluding": "7.28"}], "operator": "OR"}]}], "sourceIdentifier": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}