CVE-2014-2875: 
Linux Debian vulnerability analysis and mitigation

The vulnerability (CVE-2014-2875) affects the session.lua library in CGILua versions 5.2 alpha 1 and 5.2 alpha 2. The vulnerability was discovered on March 27, 2014, and publicly disclosed on April 30, 2014. The issue stems from weak session ID generation based on OS time, making the sessions vulnerable to hijacking (Syhunt Advisory).

The vulnerability is characterized by the generation of weak and predictable session IDs, typically 9-digit long or shorter, based on operating system time. The session ID generation mechanism is publicly visible in the GitHub repository, making it easier for attackers to understand and exploit. The vulnerability has been assigned a CVSS v3.1 Base Score of 6.1 (Medium) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability allows remote attackers to hijack arbitrary sessions through brute force attacks by predicting valid session IDs. This could potentially lead to unauthorized access to user sessions of logged-in users (Syhunt Advisory).

The recommended mitigation is to avoid using CGILua's session.lua library until a proper patch is issued. For those who wish to implement a manual fix, it is suggested to use the luuid library, which generates 128-bit random IDs, or any other Lua library capable of generating unique IDs based on high-quality randomness. After patching, all sessions generated by the unpatched code should be invalidated (Syhunt Advisory).

The project maintainer, Tomás Guisasola, initially did not consider the session IDs generated by CGILua 5.0 and 5.2 to be insecure and believed that enhancing the randomness would not improve security. This stance led to the vulnerability remaining unpatched after its disclosure (Syhunt Advisory).