Nixpkgs security tracker
5.3 MEDIUM
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): NONE
- User interaction (UI): NONE
- Scope (S): UNCHANGED
- Confidentiality impact (C): LOW
- Integrity impact (I): NONE
- Availability impact (A): NONE
Mojolicious versions from 7.28 through 9.39 for Perl may generate weak HMAC session secrets
Mojolicious versions from 7.28 through 9.39 for Perl may generate weak HMAC session secrets. When creating a default app with the "mojo generate app" tool, a weak secret is written to the application's configuration file using the insecure rand() function, and used for authenticating and protecting the integrity of the application's sessions. This may allow an attacker to brute force the application's session keys.
References
-
https://github.com/mojolicious/mojo/pull/2200 issue-tracking
-
https://security.metacpan.org/docs/guides/random-data-for-security.html technical-description
Affected products
- =<9.39
- =<9.40
- =<*
Matching in nixpkgs
pkgs.perl538Packages.Mojolicious
Real-time web framework
pkgs.perl540Packages.Mojolicious
Real-time web framework
pkgs.perl538Packages.MojoliciousPluginI18N
Internationalization Plugin for Mojolicious
pkgs.perl538Packages.MojoliciousPluginMail
Mojolicious Plugin for send mail
pkgs.perl540Packages.MojoliciousPluginI18N
Internationalization Plugin for Mojolicious
pkgs.perl540Packages.MojoliciousPluginMail
Mojolicious Plugin for send mail
pkgs.perl538Packages.MojoliciousPluginStatus
Mojolicious server status
pkgs.perl538Packages.MojoliciousPluginSyslog
Plugin for enabling a Mojolicious app to log to syslog
pkgs.perl540Packages.MojoliciousPluginStatus
Mojolicious server status
pkgs.perl540Packages.MojoliciousPluginSyslog
Plugin for enabling a Mojolicious app to log to syslog
pkgs.perl538Packages.MojoliciousPluginOpenAPI
OpenAPI / Swagger plugin for Mojolicious
pkgs.perl538Packages.MojoliciousPluginWebpack
Mojolicious <3 Webpack
pkgs.perl540Packages.MojoliciousPluginOpenAPI
OpenAPI / Swagger plugin for Mojolicious
pkgs.perl540Packages.MojoliciousPluginWebpack
Mojolicious <3 Webpack
pkgs.perl538Packages.MojoliciousPluginGravatar
Globally Recognized Avatars for Mojolicious
pkgs.perl540Packages.MojoliciousPluginGravatar
Globally Recognized Avatars for Mojolicious
pkgs.perl538Packages.MojoliciousPluginAssetPack
Compress and convert css, less, sass, javascript and coffeescript files
pkgs.perl540Packages.MojoliciousPluginAssetPack
Compress and convert css, less, sass, javascript and coffeescript files
pkgs.perl538Packages.MojoliciousPluginRenderFile
"render_file" helper for Mojolicious
pkgs.perl540Packages.MojoliciousPluginRenderFile
"render_file" helper for Mojolicious
pkgs.perl538Packages.MojoliciousPluginTextExceptions
Render exceptions as text in command line user agents
pkgs.perl540Packages.MojoliciousPluginTextExceptions
Render exceptions as text in command line user agents
pkgs.perl538Packages.MojoliciousPluginTemplateToolkit
Template Toolkit renderer plugin for Mojolicious
pkgs.perl540Packages.MojoliciousPluginTemplateToolkit
Template Toolkit renderer plugin for Mojolicious
Package maintainers
-
@marcusramberg Marcus Ramberg <marcus@means.no>
-
@stigtsp Stig Palmquist <stig@stig.io>
-
@thoughtpolice Austin Seipp <aseipp@pobox.com>
-
@TomaSajt TomaSajt