2363893 – (CVE-2024-58134) CVE-2024-58134 Mojolicious: Mojolicious versions from 0.999922 through 9.39 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default

Bug 2363893 (CVE-2024-58134) - CVE-2024-58134 Mojolicious: Mojolicious versions from 0.999922 through 9.39 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default

Summary: CVE-2024-58134 Mojolicious: Mojolicious versions from 0.999922 through 9.39 f...

Keywords:
Status:	NEW
Alias:	CVE-2024-58134
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2364055 2364056 2364059 2364057 2364058
Blocks:
TreeView+	depends on / blocked

Reported:	2025-05-03 17:01 UTC by OSIDB Bzimport
Modified:	2025-05-05 11:55 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-05-03 17:01:06 UTC

Mojolicious versions from 0.999922 through 9.39 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default.

These predictable default secrets can be exploited to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session.

Note You need to log in before you can comment on or make changes to this bug.