Nixpkgs security tracker
8.1 HIGH
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): LOW
- User interaction (UI): NONE
- Scope (S): UNCHANGED
- Confidentiality impact (C): HIGH
- Integrity impact (I): HIGH
- Availability impact (A): NONE
Mojolicious versions from 0.999922 through 9.39 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default
Mojolicious versions from 0.999922 through 9.39 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default. These predictable default secrets can be exploited to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session.
References
-
https://github.com/mojolicious/mojo/pull/1791 issue-tracking
-
https://github.com/mojolicious/mojo/pull/2200 issue-tracking
-
https://www.synacktiv.com/publications/baking-mojolicious-cookies technical-description
-
https://medium.com/securing/baking-mojolicious-cookies-revisited-a-case-study-o… technical-description
-
https://github.com/mojolicious/mojo/pull/2252 issue-tracking
-
https://docs.mojolicious.org/Mojolicious/Guides/FAQ#What-does-Your-secret-passp… technical-description
Affected products
- =<9.39
- =<9.40
- =<*
Matching in nixpkgs
pkgs.perl538Packages.Mojolicious
Real-time web framework
pkgs.perl540Packages.Mojolicious
Real-time web framework
pkgs.perl538Packages.MojoliciousPluginI18N
Internationalization Plugin for Mojolicious
pkgs.perl538Packages.MojoliciousPluginMail
Mojolicious Plugin for send mail
pkgs.perl540Packages.MojoliciousPluginI18N
Internationalization Plugin for Mojolicious
pkgs.perl540Packages.MojoliciousPluginMail
Mojolicious Plugin for send mail
pkgs.perl538Packages.MojoliciousPluginStatus
Mojolicious server status
pkgs.perl538Packages.MojoliciousPluginSyslog
Plugin for enabling a Mojolicious app to log to syslog
pkgs.perl540Packages.MojoliciousPluginStatus
Mojolicious server status
pkgs.perl540Packages.MojoliciousPluginSyslog
Plugin for enabling a Mojolicious app to log to syslog
pkgs.perl538Packages.MojoliciousPluginOpenAPI
OpenAPI / Swagger plugin for Mojolicious
pkgs.perl538Packages.MojoliciousPluginWebpack
Mojolicious <3 Webpack
pkgs.perl540Packages.MojoliciousPluginOpenAPI
OpenAPI / Swagger plugin for Mojolicious
pkgs.perl540Packages.MojoliciousPluginWebpack
Mojolicious <3 Webpack
pkgs.perl538Packages.MojoliciousPluginGravatar
Globally Recognized Avatars for Mojolicious
pkgs.perl540Packages.MojoliciousPluginGravatar
Globally Recognized Avatars for Mojolicious
pkgs.perl538Packages.MojoliciousPluginAssetPack
Compress and convert css, less, sass, javascript and coffeescript files
pkgs.perl540Packages.MojoliciousPluginAssetPack
Compress and convert css, less, sass, javascript and coffeescript files
pkgs.perl538Packages.MojoliciousPluginRenderFile
"render_file" helper for Mojolicious
pkgs.perl540Packages.MojoliciousPluginRenderFile
"render_file" helper for Mojolicious
pkgs.perl538Packages.MojoliciousPluginTextExceptions
Render exceptions as text in command line user agents
pkgs.perl540Packages.MojoliciousPluginTextExceptions
Render exceptions as text in command line user agents
pkgs.perl538Packages.MojoliciousPluginTemplateToolkit
Template Toolkit renderer plugin for Mojolicious
pkgs.perl540Packages.MojoliciousPluginTemplateToolkit
Template Toolkit renderer plugin for Mojolicious
Package maintainers
-
@marcusramberg Marcus Ramberg <marcus@means.no>
-
@stigtsp Stig Palmquist <stig@stig.io>
-
@thoughtpolice Austin Seipp <aseipp@pobox.com>
-
@TomaSajt TomaSajt