Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Concierge::Sessions versions from 0.8.1 before 0.8.5 for Perl generate insecure session ids
Vulnerability Description
Concierge::Sessions versions from 0.8.1 before 0.8.5 for Perl generate insecure session ids. The generate_session_id function in Concierge::Sessions::Base defaults to using the uuidgen command to generate a UUID, with a fallback to using Perl's built-in rand function. Neither of these methods are secure, and attackers are able to guess session_ids that can grant them access to systems. Specifically, * There is no warning when uuidgen fails. The software can be quietly using the fallback rand() function with no warnings if the command fails for any reason. * The uuidgen command will generate a time-based UUID if the system does not have a high-quality random number source, because the call does not explicitly specify the --random option. Note that the system time is shared in HTTP responses. * UUIDs are identifiers whose mere possession grants access, as per RFC 9562. * The output of the built-in rand() function is predictable and unsuitable for security applications.
CVSS Information
N/A
Vulnerability Type
可预测问题
Vulnerability Title
Concierge::Sessions 安全漏洞
Vulnerability Description
Concierge::Sessions是Bruce Van Allen个人开发者的一个用户管理系统。 Concierge::Sessions 0.8.5之前版本存在安全漏洞,该漏洞源于generate_session_id函数默认使用uuidgen命令生成UUID,回退使用Perl内置rand函数,这两种方法都不安全,可能导致攻击者猜测session_id并获得系统访问权限。
CVSS Information
N/A
Vulnerability Type
N/A