CVE-2024-58135
Mojolicious versions from 7.28 through 9.40 for Perl may generate weak HMAC session secrets
We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
Mojolicious versions from 7.28 through 9.40 for Perl may generate weak HMAC session secrets
Mojolicious versions from 7.28 through 9.40 for Perl may generate weak HMAC session secrets. When creating a default app with the "mojo generate app" tool, a weak secret is written to the application's configuration file using the insecure rand() function, and used for authenticating and protecting the integrity of the application's sessions. This may allow an attacker to brute force the application's session keys.
Reserved 2025-04-07 | Published 2025-05-03 | Updated 2025-05-12 | Assigner CPANSecCWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
perldoc.perl.org/functions/rand
metacpan.org/...SRI/Mojolicious-9.39/source/lib/Mojo/Util.pm
metacpan.org/...b/Mojolicious/Command/Author/generate/app.pm
github.com/mojolicious/mojo/pull/2200
metacpan.org/...urce/lib/Mojolicious/Command/generate/app.pm
security.metacpan.org/...uides/random-data-for-security.html
github.com/hashcat/hashcat/pull/4090
Support options
