CVE-2024-58135

Name of the Vulnerable Software and Affected Versions Mojolicious versions 7.28 through 9.39

Description The issue concerns the generation of weak HMAC session secrets in Mojolicious for Perl. When creating a default app, a weak secret is written to the application's configuration file using the insecure rand() function. This secret is used for authenticating and protecting the integrity of the application's sessions, potentially allowing an attacker to brute force the application's session keys.

Recommendations For Mojolicious versions 7.28 through 9.39, consider regenerating the session secrets with a secure random number generator to mitigate the risk of brute force attacks. As a temporary workaround, restrict access to sensitive areas of the application that rely on session authentication until a secure secret can be generated.