CVE-2009-10007

Summary

Catalyst::Plugin::Authentication versions before 0.10_027 for Perl is susceptible to session fixation attacks.

Catalyst::Plugin::Authentication does not automatically change the session id after authentication. An attacker that obtains a session id cookie can use this to impersonate the victim.

Affected Software

VendorProductVersion RangeStatus
ETHERCatalyst::Plugin::Authentication0 < 0.10_027affected

Weaknesses

  • CWE-384: CWE-384 Session Fixation

Workarounds

Users of Catalyst::Plugin::Session or Catalyst::Plugin::Starch should call the change_session_id method after authentication.

Users of Plack::Middleware::Session should set the change_id flag after logging in.

Users may also apply the linked patch.

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

References