NIXPKGS-2026-1896

GitHub issue published 8 hours ago

Catalyst::Plugin::Authentication versions before 0.10_027 for Perl is susceptible to session fixation attacks

Permalink CVE-2009-10007

9.1 CRITICAL

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): High (H)
Integrity (I): High (H)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): High (H)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): High (H)
Modified Availability (MA): None (N)

updated 8 hours ago by @LeSuisse Activity log

Created suggestion 17 hours ago
@LeSuisse accepted 8 hours ago
@LeSuisse published on GitHub 8 hours ago

Catalyst::Plugin::Authentication versions before 0.10_027 for Perl is susceptible to session fixation attacks

Catalyst::Plugin::Authentication versions before 0.10_027 for Perl is susceptible to session fixation attacks. Catalyst::Plugin::Authentication does not automatically change the session id after authentication. An attacker that obtains a session id cookie can use this to impersonate the victim.

References

Affected products

Catalyst-Plugin-Authentication

<0.10_027

Matching in nixpkgs

pkgs.perlPackages.CatalystPluginAuthentication

Infrastructure plugin for the Catalyst authentication framework

nixos-unstable 0.10023
- nixpkgs-unstable 0.10023
- nixos-unstable-small 0.10023
nixos-26.05 0.10023
- nixos-26.05-small 0.10023
- nixpkgs-26.05-darwin 0.10023

pkgs.perl5Packages.CatalystPluginAuthentication