Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for Plack::Middleware::Session::Cookie by MIYAGAWA

    CVE-2014-125112 (GCVE-0-2014-125112)

    Vulnerability from nvd – Published: 2026-03-26 02:04 – Updated: 2026-03-26 14:53
    VLAI
    Title
    Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution
    Summary
    Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution. Plack::Middleware::Session::Cookie versions through 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server during deserialization of the cookie data, when there is no secret used to sign the cookie.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-565 - Reliance on Cookies without Validation and Integrity Checking
    Assigner
    Impacted products
    Vendor Product Version
    MIYAGAWA Plack::Middleware::Session::Cookie Affected: 0 , ≤ 0.21 (custom)
    Create a notification for this product.
    Credits
    mala (@bulkneets)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2026-03-26T04:46:57.862Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2026/03/26/2"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 9.8,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2014-125112",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-26T14:52:33.130571Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-26T14:53:30.210Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://cpan.org/modules",
              "defaultStatus": "unaffected",
              "packageName": "Plack-Middleware-Session",
              "product": "Plack::Middleware::Session::Cookie",
              "repo": "https://github.com/plack/Plack-Middleware-Session",
              "vendor": "MIYAGAWA",
              "versions": [
                {
                  "lessThanOrEqual": "0.21",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "mala (@bulkneets)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution.\n\nPlack::Middleware::Session::Cookie versions through 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server during deserialization of the cookie data, when there is no secret used to sign the cookie."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-586",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-586 Object Injection"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-565",
                  "description": "CWE-565 Reliance on Cookies without Validation and Integrity Checking",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-26T02:04:10.267Z",
            "orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
            "shortName": "CPANSec"
          },
          "references": [
            {
              "tags": [
                "technical-description"
              ],
              "url": "https://gist.github.com/miyagawa/2b8764af908a0dacd43d"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://metacpan.org/release/MIYAGAWA/Plack-Middleware-Session-0.23-TRIAL/changes"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Upgrade Plack::Middleware::Session to version 0.23 or later (ideally version 0.36 or later), and set the \"secret\" option."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "timeline": [
            {
              "lang": "en",
              "time": "2014-08-11T00:00:00.000Z",
              "value": "Vulnerability disclosed by MIYAGAWA."
            },
            {
              "lang": "en",
              "time": "2014-08-11T00:00:00.000Z",
              "value": "Version 0.22 released that warns when the \"secret\" option is not set."
            },
            {
              "lang": "en",
              "time": "2014-08-11T00:00:00.000Z",
              "value": "Version 0.23-TRIAL released that requires the \"secret\" option to be set."
            },
            {
              "lang": "en",
              "time": "2014-09-05T00:00:00.000Z",
              "value": "Version 0.24 released. Same as 0.23 but not a trial release."
            },
            {
              "lang": "en",
              "time": "2016-02-03T00:00:00.000Z",
              "value": "Version 0.26 released. Documentation improved with SYNOPSIS giving an example of how to set the \"secret\" option."
            },
            {
              "lang": "en",
              "time": "2019-01-26T00:00:00.000Z",
              "value": "CPANSA-Plack-Middleware-Session-Cookie-2014-01 assigned in CPAN::Audit::DB"
            },
            {
              "lang": "en",
              "time": "2019-03-09T00:00:00.000Z",
              "value": "CPANSA-Plack-Middleware-Session-2014-01 reassigned in CPAN::Audit::DB"
            },
            {
              "lang": "en",
              "time": "2025-07-08T00:00:00.000Z",
              "value": "CVE-2014-125112 assigned by CPANSec."
            }
          ],
          "title": "Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution",
          "workarounds": [
            {
              "lang": "en",
              "value": "Set the \"secret\" option."
            }
          ],
          "x_generator": {
            "engine": "cpansec-cna-tool 0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
        "assignerShortName": "CPANSec",
        "cveId": "CVE-2014-125112",
        "datePublished": "2026-03-26T02:04:10.267Z",
        "dateReserved": "2025-07-08T15:24:38.840Z",
        "dateUpdated": "2026-03-26T14:53:30.210Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2014-125112 (GCVE-0-2014-125112)

    Vulnerability from cvelistv5 – Published: 2026-03-26 02:04 – Updated: 2026-03-26 14:53
    VLAI
    Title
    Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution
    Summary
    Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution. Plack::Middleware::Session::Cookie versions through 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server during deserialization of the cookie data, when there is no secret used to sign the cookie.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-565 - Reliance on Cookies without Validation and Integrity Checking
    Assigner
    Impacted products
    Vendor Product Version
    MIYAGAWA Plack::Middleware::Session::Cookie Affected: 0 , ≤ 0.21 (custom)
    Create a notification for this product.
    Credits
    mala (@bulkneets)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2026-03-26T04:46:57.862Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://www.openwall.com/lists/oss-security/2026/03/26/2"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 9.8,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2014-125112",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-26T14:52:33.130571Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-26T14:53:30.210Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://cpan.org/modules",
              "defaultStatus": "unaffected",
              "packageName": "Plack-Middleware-Session",
              "product": "Plack::Middleware::Session::Cookie",
              "repo": "https://github.com/plack/Plack-Middleware-Session",
              "vendor": "MIYAGAWA",
              "versions": [
                {
                  "lessThanOrEqual": "0.21",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "mala (@bulkneets)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution.\n\nPlack::Middleware::Session::Cookie versions through 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server during deserialization of the cookie data, when there is no secret used to sign the cookie."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-586",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-586 Object Injection"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-565",
                  "description": "CWE-565 Reliance on Cookies without Validation and Integrity Checking",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-26T02:04:10.267Z",
            "orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
            "shortName": "CPANSec"
          },
          "references": [
            {
              "tags": [
                "technical-description"
              ],
              "url": "https://gist.github.com/miyagawa/2b8764af908a0dacd43d"
            },
            {
              "tags": [
                "release-notes"
              ],
              "url": "https://metacpan.org/release/MIYAGAWA/Plack-Middleware-Session-0.23-TRIAL/changes"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Upgrade Plack::Middleware::Session to version 0.23 or later (ideally version 0.36 or later), and set the \"secret\" option."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "timeline": [
            {
              "lang": "en",
              "time": "2014-08-11T00:00:00.000Z",
              "value": "Vulnerability disclosed by MIYAGAWA."
            },
            {
              "lang": "en",
              "time": "2014-08-11T00:00:00.000Z",
              "value": "Version 0.22 released that warns when the \"secret\" option is not set."
            },
            {
              "lang": "en",
              "time": "2014-08-11T00:00:00.000Z",
              "value": "Version 0.23-TRIAL released that requires the \"secret\" option to be set."
            },
            {
              "lang": "en",
              "time": "2014-09-05T00:00:00.000Z",
              "value": "Version 0.24 released. Same as 0.23 but not a trial release."
            },
            {
              "lang": "en",
              "time": "2016-02-03T00:00:00.000Z",
              "value": "Version 0.26 released. Documentation improved with SYNOPSIS giving an example of how to set the \"secret\" option."
            },
            {
              "lang": "en",
              "time": "2019-01-26T00:00:00.000Z",
              "value": "CPANSA-Plack-Middleware-Session-Cookie-2014-01 assigned in CPAN::Audit::DB"
            },
            {
              "lang": "en",
              "time": "2019-03-09T00:00:00.000Z",
              "value": "CPANSA-Plack-Middleware-Session-2014-01 reassigned in CPAN::Audit::DB"
            },
            {
              "lang": "en",
              "time": "2025-07-08T00:00:00.000Z",
              "value": "CVE-2014-125112 assigned by CPANSec."
            }
          ],
          "title": "Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution",
          "workarounds": [
            {
              "lang": "en",
              "value": "Set the \"secret\" option."
            }
          ],
          "x_generator": {
            "engine": "cpansec-cna-tool 0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
        "assignerShortName": "CPANSec",
        "cveId": "CVE-2014-125112",
        "datePublished": "2026-03-26T02:04:10.267Z",
        "dateReserved": "2025-07-08T15:24:38.840Z",
        "dateUpdated": "2026-03-26T14:53:30.210Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }