Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution. Plack::Middleware::Session::Cookie versions through 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server during deserialization of the cookie data, when there is no secret used to sign the cookie.
The vulnerability results from the lack of integrity verification of data stored in cookies on the server side — when a secret for signing cookies is not configured. An attacker can provide crafted, malicious data in a cookie, which during deserialization on the server side leads to arbitrary code execution. This is a classic unsafe deserialization attack (CWE-565), where user-controlled data is processed without proper validation.
A remote attacker, without authentication, can execute arbitrary code on the server, which in practice means complete takeover of the application and potentially the entire system, including gaining access to data, modifying content, or installing malicious software.
The Plack-Middleware-Session package should be updated to version 0.23 or newer (available on CPAN). According to vendor references, version 0.23-TRIAL addresses this vulnerability. Additionally, a secret for signing cookies should be configured, which prevents attackers from manipulating session data.
Plack::Middleware::Session::Cookie in versions up to and including 0.21 for Perl — affects deployments where no secret for signing cookies is configured.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HMiyagawa Plack\
APPMiyagawa\