CVE-2009-10007 | THREATINT

Description

Catalyst::Plugin::Authentication versions before 0.10_027 for Perl is susceptible to session fixation attacks. Catalyst::Plugin::Authentication does not automatically change the session id after authentication. An attacker that obtains a session id cookie can use this to impersonate the victim.

PUBLISHED Reserved 2026-06-05 | Published 2026-06-09 | Updated 2026-06-09 | Assigner CPANSec

Problem types

CWE-384 Session Fixation

Product status

Default status

unaffected

Any version before 0.10_027

affected

Timeline

2009-07-08:	Catalyst::Plugin::Session version 0.25 released with the change_session_id method to protect against session fixation attacks, along with documentation how to use that with Catalyst::Plugin::Authentication
2026-06-07:	Catalyst::Plugin::Authentication version 0.10_027 released with change to avoid session fixation attacks

References

www.openwall.com/lists/oss-security/2026/06/09/10

metacpan.org/...alyst-Plugin-Authentication-0.10_027/changes release-notes

github.com/...b1385ea87a2491b64f33169222af19982d0acce3.patch patch

metacpan.org/pod/Catalyst::Plugin::Session

metacpan.org/pod/Plack::Middleware::Session

cve.org (CVE-2009-10007)

nvd.nist.gov (CVE-2009-10007)

Download JSON