Maypole versions from 2.10 through 2.13 for Perl generates session ids insecurely. The session id is seeded with the system time (which is available from HTTP response headers), a call to the built-in rand() function, and the PID.
The session identifier is generated based on three elements: server system time, the result of the built-in rand() function, and process identifier (PID). The system time is publicly available in HTTP response headers, Perl's rand() function is not cryptographically secure, and the PID can be guessed or determined by brute-force. The combination of these weak entropy sources (CWE-338 — use of cryptographically weak pseudo-random number generator) makes the space of possible session identifiers drastically limited and predictable.
An unauthenticated remote attacker can guess or recreate valid session identifiers, leading to session hijacking of logged-in users and consequently unauthorized access to their accounts and data.
Apply patches available from the vendor according to the references. Until updating, it is recommended to consider implementing an external session management mechanism based on a cryptographically secure random number generator.
Teejay Maypole for Perl in versions 2.10 to 2.13 inclusive
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HTeejay Maypole
APPTeejay2.1112.1212.10 – 2.13