CVE-2024-58135: 
Linux Debian vulnerability analysis and mitigation

Mojolicious versions from 7.28 through 9.40 for Perl contain a vulnerability in the generation of HMAC session secrets. When creating a default application using the 'mojo generate app' tool, a weak secret is written to the application's configuration file using the insecure rand() function, which is then used for authenticating and protecting the integrity of the application's sessions (NVD, Debian Tracker).

The vulnerability stems from the use of Perl's built-in rand() function for generating session secrets in the default application configuration. The rand() function is cryptographically weak as it is seeded by only 32-bits (4 bytes), making its output predictable. The weak secret generation occurs when using the 'mojo generate app' command, which creates a configuration file with a secret generated using sha1_sum $$ . steadytime . rand (Perl Docs, Security Guide). The vulnerability has been assigned a CVSS v3.1 Base Score of 5.3 (MEDIUM) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (NVD).

The use of predictable session secrets can allow attackers to forge session cookies by computing valid HMAC signatures. This could lead to session hijacking or tampering, potentially allowing unauthorized access to user accounts or elevation of privileges (Wiz).

A fix has been proposed in a pull request to the Mojolicious project that implements secure by default sessions using cryptographically secure random number generation. The fix includes generating and persisting a 256-bit session secret and using secure random data sources like /dev/urandom or equivalent system calls (Mojo PR). Until the fix is available, users should manually set strong, cryptographically secure session secrets in their applications.