6.5 MEDIUM
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): NONE
- User interaction (UI): NONE
- Scope (S): UNCHANGED
- Confidentiality impact (C): LOW
- Integrity impact (I): LOW
- Availability impact (A): NONE
Catalyst::Plugin::Session before version 0.44 for Perl generates session ids insecurely
Catalyst::Plugin::Session before version 0.44 for Perl generates session ids insecurely. The session id is generated from a (usually SHA-1) hash of a simple counter, the epoch time, the built-in rand function, the PID and the current Catalyst context. This information is of low entropy. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems.
References
Affected products
- <0.44
Matching in nixpkgs
pkgs.perlPackages.CatalystPluginSession
Generic Session plugin - ties together server side storage and client side state required to maintain session data
-
nixos-unstable -
- nixpkgs-unstable 0.43
pkgs.perl538Packages.CatalystPluginSession
Generic Session plugin - ties together server side storage and client side state required to maintain session data
-
nixos-unstable -
- nixpkgs-unstable 0.43
pkgs.perl540Packages.CatalystPluginSession
Generic Session plugin - ties together server side storage and client side state required to maintain session data
-
nixos-unstable -
- nixpkgs-unstable 0.43
pkgs.perlPackages.CatalystPluginSessionStoreFile
File storage backend for session data
-
nixos-unstable -
- nixpkgs-unstable 0.18
pkgs.perlPackages.CatalystPluginSessionStateCookie
Maintain session IDs using cookies
-
nixos-unstable -
- nixpkgs-unstable 0.18
pkgs.perl538Packages.CatalystPluginSessionStoreFile
File storage backend for session data
-
nixos-unstable -
- nixpkgs-unstable 0.18
pkgs.perl540Packages.CatalystPluginSessionStoreFile
File storage backend for session data
-
nixos-unstable -
- nixpkgs-unstable 0.18
pkgs.perlPackages.CatalystPluginSessionDynamicExpiry
Per-session custom expiry times
-
nixos-unstable -
- nixpkgs-unstable 0.04
pkgs.perlPackages.CatalystPluginSessionStoreFastMmap
FastMmap session storage backend
-
nixos-unstable -
- nixpkgs-unstable 0.16
pkgs.perl538Packages.CatalystPluginSessionStateCookie
Maintain session IDs using cookies
-
nixos-unstable -
- nixpkgs-unstable 0.18
pkgs.perl540Packages.CatalystPluginSessionStateCookie
Maintain session IDs using cookies
-
nixos-unstable -
- nixpkgs-unstable 0.18
pkgs.perl538Packages.CatalystPluginSessionDynamicExpiry
Per-session custom expiry times
-
nixos-unstable -
- nixpkgs-unstable 0.04
pkgs.perl538Packages.CatalystPluginSessionStoreFastMmap
FastMmap session storage backend
-
nixos-unstable -
- nixpkgs-unstable 0.16
pkgs.perl540Packages.CatalystPluginSessionDynamicExpiry
Per-session custom expiry times
-
nixos-unstable -
- nixpkgs-unstable 0.04
pkgs.perl540Packages.CatalystPluginSessionStoreFastMmap
FastMmap session storage backend
-
nixos-unstable -
- nixpkgs-unstable 0.16