{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-20T00:17:28.646","vulnerabilities":[{"cve":{"id":"CVE-2024-58135","sourceIdentifier":"9b29abf9-4ab0-4765-b253-1875cd9b441e","published":"2025-05-03T11:15:48.037","lastModified":"2025-10-20T20:15:36.920","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Mojolicious versions from 7.28 for Perl will generate weak HMAC session cookie secrets via \"mojo generate app\" by default\n\nWhen creating a default app skeleton with the \"mojo generate app\" tool, a weak secret is written to the application's configuration file using the insecure rand() function, and used for authenticating and protecting the integrity of the application's sessions. This may allow an attacker to brute force the application's session keys."},{"lang":"es","value":"Las versiones de Mojolicious de la 7.28 a la 9.39 para Perl pueden generar secretos de sesión HMAC débiles. Al crear una aplicación predeterminada con la herramienta \"mojo generate app\", se escribe un secreto débil en el archivo de configuración de la aplicación mediante la función insegura rand(), que se utiliza para autenticar y proteger la integridad de las sesiones de la aplicación. Esto podría permitir a un atacante acceder por fuerza bruta a las claves de sesión de la aplicación."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":1.4}]},"weaknesses":[{"source":"9b29abf9-4ab0-4765-b253-1875cd9b441e","type":"Secondary","description":[{"lang":"en","value":"CWE-338"}]},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-338"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:mojolicious:mojolicious:*:*:*:*:*:perl:*:*","versionStartIncluding":"7.28","versionEndIncluding":"9.40","matchCriteriaId":"18CB7F71-95D5-44DC-BD63-01394CC408B4"}]}]}],"references":[{"url":"https://github.com/hashcat/hashcat/pull/4090","source":"9b29abf9-4ab0-4765-b253-1875cd9b441e","tags":["Issue Tracking","Patch"]},{"url":"https://github.com/mojolicious/mojo/pull/2200","source":"9b29abf9-4ab0-4765-b253-1875cd9b441e","tags":["Exploit","Issue Tracking","Patch"]},{"url":"https://lists.debian.org/debian-perl/2025/05/msg00016.html","source":"9b29abf9-4ab0-4765-b253-1875cd9b441e"},{"url":"https://lists.debian.org/debian-perl/2025/05/msg00017.html","source":"9b29abf9-4ab0-4765-b253-1875cd9b441e"},{"url":"https://lists.debian.org/debian-perl/2025/05/msg00018.html","source":"9b29abf9-4ab0-4765-b253-1875cd9b441e"},{"url":"https://metacpan.org/release/SRI/Mojolicious-7.28/source/lib/Mojolicious/Command/generate/app.pm#L220","source":"9b29abf9-4ab0-4765-b253-1875cd9b441e","tags":["Product"]},{"url":"https://metacpan.org/release/SRI/Mojolicious-9.38/source/lib/Mojolicious/Command/Author/generate/app.pm#L202","source":"9b29abf9-4ab0-4765-b253-1875cd9b441e","tags":["Product"]},{"url":"https://metacpan.org/release/SRI/Mojolicious-9.39/source/lib/Mojo/Util.pm#L181","source":"9b29abf9-4ab0-4765-b253-1875cd9b441e","tags":["Product"]},{"url":"https://perldoc.perl.org/functions/rand","source":"9b29abf9-4ab0-4765-b253-1875cd9b441e","tags":["Product"]},{"url":"https://security.metacpan.org/docs/guides/random-data-for-security.html","source":"9b29abf9-4ab0-4765-b253-1875cd9b441e","tags":["Technical Description"]}]}}]}