CVE-2024-58134

CVE-2024-58134

Name

CVE-2024-58134

Description

Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application's class name, as an HMAC session cookie secret by default. These predictable default secrets can be exploited by an attacker to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
9b29abf9-4ab0-4765-b253-1875cd9b441e	https://github.com/hashcat/hashcat/pull/4090
9b29abf9-4ab0-4765-b253-1875cd9b441e	https://github.com/mojolicious/mojo/pull/1791
9b29abf9-4ab0-4765-b253-1875cd9b441e	https://github.com/mojolicious/mojo/pull/2200
9b29abf9-4ab0-4765-b253-1875cd9b441e	https://medium.com/securing/baking-mojolicious-cookies-revisited-a-case-study-of-solving-security-problems-through-security-by-13da7c225802
9b29abf9-4ab0-4765-b253-1875cd9b441e	https://metacpan.org/release/SRI/Mojolicious-9.39/source/lib/Mojolicious.pm#L51
9b29abf9-4ab0-4765-b253-1875cd9b441e	https://www.synacktiv.com/publications/baking-mojolicious-cookies
9b29abf9-4ab0-4765-b253-1875cd9b441e	https://docs.mojolicious.org/Mojolicious/Guides/FAQ#What-does-Your-secret-passphrase-needs-to-be-changed-mean
9b29abf9-4ab0-4765-b253-1875cd9b441e	https://github.com/mojolicious/mojo/pull/2252
9b29abf9-4ab0-4765-b253-1875cd9b441e	https://lists.debian.org/debian-perl/2025/05/msg00016.html
9b29abf9-4ab0-4765-b253-1875cd9b441e	https://lists.debian.org/debian-perl/2025/05/msg00017.html
9b29abf9-4ab0-4765-b253-1875cd9b441e	https://lists.debian.org/debian-perl/2025/05/msg00018.html

Type

URI