{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-58135", "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "state": "PUBLISHED", "assignerShortName": "CPANSec", "dateReserved": "2025-04-07T16:06:37.226Z", "datePublished": "2025-05-03T10:16:10.636Z", "dateUpdated": "2025-05-03T10:16:10.636Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://cpan.org/modules", "defaultStatus": "unaffected", "packageName": "Mojolicious", "product": "Mojolicious", "programFiles": ["lib/Mojolicious/Command/Author/generate/app.pm", "lib/Mojo/Util.pm", "lib/Mojolicious/Command/generate/app.pm"], "programRoutines": [{"name": "Mojolicious::Command::Author::generate::app::run()"}, {"name": "Mojo::Util::generate_secret()"}], "repo": "https://github.com/mojolicious/mojo", "vendor": "SRI", "versions": [{"lessThanOrEqual": "9.39", "status": "affected", "version": "7.28", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Mojolicious versions from 7.28 through 9.39 for Perl may generate weak HMAC session secrets.<br><br>When creating a default app with the \"mojo generate app\" tool, a weak secret is written to the application's configuration file using the insecure rand() function, and used for authenticating and protecting the integrity of the application's sessions. This may allow an attacker to brute force the application's session keys."}], "value": "Mojolicious versions from 7.28 through 9.39 for Perl may generate weak HMAC session secrets.\n\nWhen creating a default app with the \"mojo generate app\" tool, a weak secret is written to the application's configuration file using the insecure rand() function, and used for authenticating and protecting the integrity of the application's sessions. This may allow an attacker to brute force the application's session keys."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-338", "description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "shortName": "CPANSec", "dateUpdated": "2025-05-03T10:16:10.636Z"}, "references": [{"url": "https://perldoc.perl.org/functions/rand"}, {"url": "https://metacpan.org/release/SRI/Mojolicious-9.39/source/lib/Mojo/Util.pm#L181"}, {"url": "https://metacpan.org/release/SRI/Mojolicious-9.38/source/lib/Mojolicious/Command/Author/generate/app.pm#L202"}, {"url": "https://github.com/mojolicious/mojo/pull/2200"}, {"url": "https://metacpan.org/release/SRI/Mojolicious-7.28/source/lib/Mojolicious/Command/generate/app.pm#L220"}, {"url": "https://security.metacpan.org/docs/guides/random-data-for-security.html"}, {"url": "https://github.com/hashcat/hashcat/pull/4090"}], "source": {"discovery": "UNKNOWN"}, "title": "Mojolicious versions from 7.28 through 9.39 for Perl may generate weak HMAC session secrets", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Ensure that your secret, stored in the application's configuration file, is at least 128 bit of cryptographically secure random data. For example, to generate a 256 bit secret, one could use the output generated by the \"openssl rand -base64 32\" command."}], "value": "Ensure that your secret, stored in the application's configuration file, is at least 128 bit of cryptographically secure random data. For example, to generate a 256 bit secret, one could use the output generated by the \"openssl rand -base64 32\" command."}, {"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "As of version 9.39 of Mojolicious, if a CryptX distribution of version 0.080 or later is available in the include path before calling the \"mojo generate app\" tool, then a secure 1024 bit long secret will be generated."}], "value": "As of version 9.39 of Mojolicious, if a CryptX distribution of version 0.080 or later is available in the include path before calling the \"mojo generate app\" tool, then a secure 1024 bit long secret will be generated."}], "x_generator": {"engine": "Vulnogram 0.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Mojolicious versions from 7.28 through 9.39 for Perl may generate weak HMAC session secrets.\n\nWhen creating a default app with the \"mojo generate app\" tool, a weak secret is written to the application's configuration file using the insecure rand() function, and used for authenticating and protecting the integrity of the application's sessions. This may allow an attacker to brute force the application's session keys."}], "id": "CVE-2024-58135", "lastModified": "2025-05-03T11:15:48.037", "metrics": {}, "published": "2025-05-03T11:15:48.037", "references": [{"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "url": "https://github.com/hashcat/hashcat/pull/4090"}, {"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "url": "https://github.com/mojolicious/mojo/pull/2200"}, {"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "url": "https://metacpan.org/release/SRI/Mojolicious-7.28/source/lib/Mojolicious/Command/generate/app.pm#L220"}, {"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "url": "https://metacpan.org/release/SRI/Mojolicious-9.38/source/lib/Mojolicious/Command/Author/generate/app.pm#L202"}, {"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "url": "https://metacpan.org/release/SRI/Mojolicious-9.39/source/lib/Mojo/Util.pm#L181"}, {"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "url": "https://perldoc.perl.org/functions/rand"}, {"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "url": "https://security.metacpan.org/docs/guides/random-data-for-security.html"}], "sourceIdentifier": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-338"}], "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "type": "Secondary"}]}

{}