CVE-2024-58135

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-58135

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-58135.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-58135

Related

UBUNTU-CVE-2024-58135

Published

2025-05-03T11:15:48Z

Modified

2025-05-17T14:23:31.182464Z

Summary

[none]

Details

Mojolicious versions from 7.28 through 9.40 for Perl may generate weak HMAC session secrets.

When creating a default app with the "mojo generate app" tool, a weak secret is written to the application's configuration file using the insecure rand() function, and used for authenticating and protecting the integrity of the application's sessions. This may allow an attacker to brute force the application's session keys.

References

Affected packages

Debian:11 / libmojolicious-perl

Package

Name: libmojolicious-perl
Purl: pkg:deb/debian/libmojolicious-perl?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

8.*

8.71+dfsg-1

9.*

9.21+dfsg-1

9.21+dfsg-2

9.22+dfsg-1

9.22+dfsg-2

9.23+dfsg-1

9.24+dfsg-1

9.25+dfsg-1

9.26+dfsg-1

9.27+dfsg-1

9.28+dfsg-1

9.31+dfsg-1

9.33+dfsg-1

9.34+dfsg-1

9.35+dfsg-1

9.36+dfsg-1~bpo12+2

9.36+dfsg-1

9.37+dfsg-1

9.37+dfsg-2~bpo12+1

9.37+dfsg-2

9.38+dfsg-1

9.39+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / libmojolicious-perl

Package

Name: libmojolicious-perl
Purl: pkg:deb/debian/libmojolicious-perl?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

9.*

9.31+dfsg-1

9.33+dfsg-1

9.34+dfsg-1

9.35+dfsg-1

9.36+dfsg-1~bpo12+2

9.36+dfsg-1

9.37+dfsg-1

9.37+dfsg-2~bpo12+1

9.37+dfsg-2

9.38+dfsg-1

9.39+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / libmojolicious-perl

Package

Name: libmojolicious-perl
Purl: pkg:deb/debian/libmojolicious-perl?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

9.*

9.31+dfsg-1

9.33+dfsg-1

9.34+dfsg-1

9.35+dfsg-1

9.36+dfsg-1~bpo12+2

9.36+dfsg-1

9.37+dfsg-1

9.37+dfsg-2~bpo12+1

9.37+dfsg-2

9.38+dfsg-1

9.39+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/mojolicious/mojo

Affected ranges

Type: GIT
Repo: https://github.com/mojolicious/mojo
Events: Introduced

466b3bb90fbd055410771ea09f0506b2f26faf2f

Last affected

1a87f721d24a4542ac7828753696e9462f790ab6

Affected versions

v7.*

v7.28

v7.29

v7.30

v7.31

v7.32

v7.33

v7.34

v7.35

v7.36

v7.37

v7.38

v7.39

v7.40

v7.41

v7.42

v7.43

v7.44

v7.45

v7.46

v7.47

v7.48

v7.49

v7.50

v7.51

v7.52

v7.53

v7.54

v7.55

v7.56

v7.57

v7.58

v7.59

v7.60

v7.61

v7.62

v7.63

v7.64

v7.65

v7.66

v7.67

v7.68

v7.69

v7.70

v7.71

v7.72

v7.73

v7.74

v7.75

v7.76

v7.77

v7.78

v7.79

v7.80

v7.81

v7.82

v7.83

v7.84

v7.85

v7.86

v7.87

v7.88

v7.89

v7.90

v7.91

v7.92

v7.93

v7.94

v8.*

v8.0

v8.01

v8.02

v8.03

v8.04

v8.05

v8.06

v8.07

v8.08

v8.09

v8.10

v8.11

v8.12

v8.13

v8.14

v8.15

v8.16

v8.17

v8.18

v8.19

v8.20

v8.21

v8.22

v8.23

v8.24

v8.25

v8.26

v8.27

v8.28

v8.29

v8.30

v8.31

v8.32

v8.33

v8.34

v8.35

v8.36

v8.37

v8.38

v8.39

v8.40

v8.41

v8.42

v8.50

v8.51

v8.52

v8.53

v8.54

v8.55

v8.56

v8.57

v8.58

v8.59

v8.60

v8.61

v8.62

v8.63

v8.64

v8.65

v8.66

v8.67

v8.68

v8.69

v8.70

v8.71

v8.72

v8.73

v9.*

v9.0

v9.01

v9.02

v9.03

v9.07

v9.08

v9.09

v9.10

v9.11

v9.12

v9.13

v9.14

v9.15

v9.16

v9.17

v9.18

v9.19

v9.20

v9.21

v9.22

v9.23

v9.24

v9.25

v9.26

v9.27

v9.28

v9.29

v9.30

v9.31

v9.32

v9.33

v9.34

v9.35

v9.36

v9.37

v9.38

v9.39

v9.40