Impact
This flaw causes session identifiers to be generated using a SHA‑1 hash seeded with low‑entropy data such as the built‑in rand value, current epoch time, a heap address of an anonymous hash, and the process ID. Because the inputs lack sufficient entropy and the hash function is not cryptographically secure for ID generation, an attacker can anticipate or brute‑force valid session identifiers, enabling session hijacking or fixation. The weakness falls under insufficient random number generation (CWE‑340) and weak cryptographic strength (CWE‑338).
Affected Systems
The vulnerability affects the HAYAJO Mojolicious::Sessions::Storable Perl module, specifically versions up to and including 0.05. Any application that relies on this module for session management is at risk unless it has been updated beyond 0.05.
Risk and Exploitability
The CVSS score of 5.3 signifies a moderate severity. The EPSS score is not available, and the issue is not listed in the CISA KEV catalog, suggesting no known widespread exploitation. Based on the description, the likely attack vector is local or remote web application access; a motivated attacker could generate or guess session IDs with only knowledge of the algorithm and minimal setup, particularly in environments where session IDs are transmitted over the network.
OpenCVE Enrichment