Refine your search
3 vulnerabilities found for by MIYAGAWA
CVE-2014-125112 (GCVE-0-2014-125112)
Vulnerability from cvelistv5
Published
2026-03-26 02:04
Modified
2026-03-26 14:53
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-565 - Reliance on Cookies without Validation and Integrity Checking
Summary
Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution.
Plack::Middleware::Session::Cookie versions through 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server during deserialization of the cookie data, when there is no secret used to sign the cookie.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| MIYAGAWA | Plack::Middleware::Session::Cookie |
Version: 0 < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-03-26T04:46:57.862Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/03/26/2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2014-125112",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-26T14:52:33.130571Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T14:53:30.210Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Plack-Middleware-Session",
"product": "Plack::Middleware::Session::Cookie",
"repo": "https://github.com/plack/Plack-Middleware-Session",
"vendor": "MIYAGAWA",
"versions": [
{
"lessThanOrEqual": "0.21",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "mala (@bulkneets)"
}
],
"descriptions": [
{
"lang": "en",
"value": "Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution.\n\nPlack::Middleware::Session::Cookie versions through 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server during deserialization of the cookie data, when there is no secret used to sign the cookie."
}
],
"impacts": [
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-586 Object Injection"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-565",
"description": "CWE-565 Reliance on Cookies without Validation and Integrity Checking",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T02:04:10.267Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"technical-description"
],
"url": "https://gist.github.com/miyagawa/2b8764af908a0dacd43d"
},
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/MIYAGAWA/Plack-Middleware-Session-0.23-TRIAL/changes"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade Plack::Middleware::Session to version 0.23 or later (ideally version 0.36 or later), and set the \"secret\" option."
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2014-08-11T00:00:00.000Z",
"value": "Vulnerability disclosed by MIYAGAWA."
},
{
"lang": "en",
"time": "2014-08-11T00:00:00.000Z",
"value": "Version 0.22 released that warns when the \"secret\" option is not set."
},
{
"lang": "en",
"time": "2014-08-11T00:00:00.000Z",
"value": "Version 0.23-TRIAL released that requires the \"secret\" option to be set."
},
{
"lang": "en",
"time": "2014-09-05T00:00:00.000Z",
"value": "Version 0.24 released. Same as 0.23 but not a trial release."
},
{
"lang": "en",
"time": "2016-02-03T00:00:00.000Z",
"value": "Version 0.26 released. Documentation improved with SYNOPSIS giving an example of how to set the \"secret\" option."
},
{
"lang": "en",
"time": "2019-01-26T00:00:00.000Z",
"value": "CPANSA-Plack-Middleware-Session-Cookie-2014-01 assigned in CPAN::Audit::DB"
},
{
"lang": "en",
"time": "2019-03-09T00:00:00.000Z",
"value": "CPANSA-Plack-Middleware-Session-2014-01 reassigned in CPAN::Audit::DB"
},
{
"lang": "en",
"time": "2025-07-08T00:00:00.000Z",
"value": "CVE-2014-125112 assigned by CPANSec."
}
],
"title": "Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution",
"workarounds": [
{
"lang": "en",
"value": "Set the \"secret\" option."
}
],
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2014-125112",
"datePublished": "2026-03-26T02:04:10.267Z",
"dateReserved": "2025-07-08T15:24:38.840Z",
"dateUpdated": "2026-03-26T14:53:30.210Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2013-10031 (GCVE-0-2013-10031)
Vulnerability from cvelistv5
Published
2025-12-09 00:12
Modified
2025-12-11 14:36
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-1254 - Incorrect Comparison Logic Granularity
Summary
Plack-Middleware-Session versions before 0.17 may be vulnerable to HMAC comparison timing attacks
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| MIYAGAWA | Plack::Middleware::Session |
Version: 0.01 < 0.17 |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2013-10031",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-09T19:53:02.755963Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-11T14:36:31.485Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Plack-Middleware-Session",
"product": "Plack::Middleware::Session",
"programFiles": [
"lib/Plack/Middleware/Session/Cookie.pm"
],
"programRoutines": [
{
"name": "get_session"
}
],
"repo": "https://github.com/plack/Plack-Middleware-Session.git",
"vendor": "MIYAGAWA",
"versions": [
{
"lessThan": "0.17",
"status": "affected",
"version": "0.01",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Plack-Middleware-Session versions before 0.17 may be vulnerable to HMAC comparison timing attacks\u003cbr\u003e"
}
],
"value": "Plack-Middleware-Session versions before 0.17 may be vulnerable to HMAC comparison timing attacks"
}
],
"impacts": [
{
"capecId": "CAPEC-26",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-26 Leveraging Race Conditions"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1254",
"description": "CWE-1254 Incorrect Comparison Logic Granularity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:12:36.372Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/plack/Plack-Middleware-Session/commit/b7f0252269ba1bb812b5dc02303754fe94c808e4"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Upgrade to version 0.17 or higher"
}
],
"value": "Upgrade to version 0.17 or higher"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Plack::Middleware::Session versions before 0.17 for Perl may be vulnerable to HMAC comparison timing attacks",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2013-10031",
"datePublished": "2025-12-09T00:12:36.372Z",
"dateReserved": "2025-07-10T09:30:45.910Z",
"dateUpdated": "2025-12-11T14:36:31.485Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-40923 (GCVE-0-2025-40923)
Vulnerability from cvelistv5
Published
2025-07-16 13:05
Modified
2025-11-04 21:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Plack-Middleware-Session before version 0.35 for Perl generates session ids insecurely.
The default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.
Predicable session ids could allow an attacker to gain access to systems.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| MIYAGAWA | Plack::Middleware::Session |
Version: 0.01 < 0.35 |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-40923",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-16T20:47:49.157521Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-16T20:48:17.516Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:10:20.704Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/07/16/4"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Plack-Middleware-Session",
"product": "Plack::Middleware::Session",
"programFiles": [
"lib/Plack/Session/State.pm"
],
"repo": "https://github.com/plack/Plack-Middleware-Session",
"vendor": "MIYAGAWA",
"versions": [
{
"lessThan": "0.35",
"status": "affected",
"version": "0.01",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003ePlack-Middleware-Session before version 0.35 for Perl generates session ids insecurely.\u003c/div\u003e\u003cdiv\u003eThe default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.\u003c/div\u003e\u003cdiv\u003ePredicable session ids could allow an attacker to gain access to systems.\u003c/div\u003e"
}
],
"value": "Plack-Middleware-Session before version 0.35 for Perl generates session ids insecurely.\n\nThe default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.\n\nPredicable session ids could allow an attacker to gain access to systems."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-340",
"description": "CWE-340 Generation of Predictable Numbers or Identifiers",
"lang": "en",
"type": "CWE"
},
{
"cweId": "CWE-338",
"description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-16T13:05:03.782Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"url": "https://metacpan.org/release/MIYAGAWA/Plack-Middleware-Session-0.34/source/lib/Plack/Session/State.pm#L22"
},
{
"url": "https://github.com/plack/Plack-Middleware-Session/pull/52"
},
{
"tags": [
"patch"
],
"url": "https://github.com/plack/Plack-Middleware-Session/commit/1fbfbb355e34e7f4b3906f66cf958cedadd2b9be.patch"
},
{
"url": "https://security.metacpan.org/docs/guides/random-data-for-security.html"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eUsers are advised to upgrade to Plack-Middleware-Session v0.35 or later.\u003c/div\u003e"
}
],
"value": "Users are advised to upgrade to Plack-Middleware-Session v0.35 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Plack-Middleware-Session before version 0.35 for Perl generates session ids insecurely",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eUsers who are unable to upgrade are advised to change the sid_generator attribute of Plack::Session::State to a function that returns a securely generated session id based on a secure source of entropy from the system.\u003c/div\u003e"
}
],
"value": "Users who are unable to upgrade are advised to change the sid_generator attribute of Plack::Session::State to a function that returns a securely generated session id based on a secure source of entropy from the system."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2025-40923",
"datePublished": "2025-07-16T13:05:03.782Z",
"dateReserved": "2025-04-16T09:05:34.362Z",
"dateUpdated": "2025-11-04T21:10:20.704Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}