CVE-2024-58135

Severity CVSS v4.0:

Pending analysis

Type:

Unavailable / Other

Publication date:

03/05/2025

Last modified:

03/05/2025

Description

Mojolicious versions from 7.28 through 9.39 for Perl may generate weak HMAC session secrets.<br /> <br /> When creating a default app with the "mojo generate app" tool, a weak secret is written to the application&#39;s configuration file using the insecure rand() function, and used for authenticating and protecting the integrity of the application&#39;s sessions. This may allow an attacker to brute force the application&#39;s session keys.

Impact

References to Advisories, Solutions, and Tools

https://github.com/hashcat/hashcat/pull/4090
https://github.com/mojolicious/mojo/pull/2200
https://metacpan.org/release/SRI/Mojolicious-7.28/source/lib/Mojolicious/Command/generate/app.pm#L220
https://metacpan.org/release/SRI/Mojolicious-9.38/source/lib/Mojolicious/Command/Author/generate/app.pm#L202
https://metacpan.org/release/SRI/Mojolicious-9.39/source/lib/Mojo/Util.pm#L181
https://perldoc.perl.org/functions/rand
https://security.metacpan.org/docs/guides/random-data-for-security.html