{"url":"http://public2.vulnerablecode.io/api/packages/103126?format=json","purl":"pkg:deb/debian/libplack-middleware-session-perl@0.34-1?distro=trixie","type":"deb","namespace":"debian","name":"libplack-middleware-session-perl","version":"0.34-1","qualifiers":{"distro":"trixie"},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"0.36-1","latest_non_vulnerable_version":"0.36-1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/76755?format=json","vulnerability_id":"VCID-gur5-xp2t-7bgv","summary":"Plack-Middleware-Session before version 0.35 for Perl generates session ids insecurely.  The default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.  Predicable session ids could allow an attacker to gain access to systems.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-40923","reference_id":"","reference_type":"","scores":[{"value":"0.00535","scoring_system":"epss","scoring_elements":"0.67847","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00535","scoring_system":"epss","scoring_elements":"0.67837","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00535","scoring_system":"epss","scoring_elements":"0.67822","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00535","scoring_system":"epss","scoring_elements":"0.67836","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00535","scoring_system":"epss","scoring_elements":"0.6784","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-40923"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-40923","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-40923"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109405","reference_id":"1109405","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109405"},{"reference_url":"https://github.com/plack/Plack-Middleware-Session/commit/1fbfbb355e34e7f4b3906f66cf958cedadd2b9be.patch","reference_id":"1fbfbb355e34e7f4b3906f66cf958cedadd2b9be.patch","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-16T20:47:49Z/"}],"url":"https://github.com/plack/Plack-Middleware-Session/commit/1fbfbb355e34e7f4b3906f66cf958cedadd2b9be.patch"},{"reference_url":"https://github.com/plack/Plack-Middleware-Session/pull/52","reference_id":"52","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-16T20:47:49Z/"}],"url":"https://github.com/plack/Plack-Middleware-Session/pull/52"},{"reference_url":"https://security.metacpan.org/docs/guides/random-data-for-security.html","reference_id":"random-data-for-security.html","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-16T20:47:49Z/"}],"url":"https://security.metacpan.org/docs/guides/random-data-for-security.html"},{"reference_url":"https://metacpan.org/release/MIYAGAWA/Plack-Middleware-Session-0.34/source/lib/Plack/Session/State.pm#L22","reference_id":"State.pm#L22","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-16T20:47:49Z/"}],"url":"https://metacpan.org/release/MIYAGAWA/Plack-Middleware-Session-0.34/source/lib/Plack/Session/State.pm#L22"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/103125?format=json","purl":"pkg:deb/debian/libplack-middleware-session-perl@0.36-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/libplack-middleware-session-perl@0.36-1%3Fdistro=trixie"}],"aliases":["CVE-2025-40923"],"risk_score":3.3,"exploitability":"0.5","weighted_severity":"6.6","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gur5-xp2t-7bgv"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/76753?format=json","vulnerability_id":"VCID-buem-pfzp-uqde","summary":"Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution.  Plack::Middleware::Session::Cookie versions through 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server during deserialization of the cookie data, when there is no secret used to sign the cookie.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2014-125112","reference_id":"","reference_type":"","scores":[{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.33125","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.33176","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.33137","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.33105","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.33058","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00135","scoring_system":"epss","scoring_elements":"0.33161","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2014-125112"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-125112","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-125112"},{"reference_url":"https://gist.github.com/miyagawa/2b8764af908a0dacd43d","reference_id":"2b8764af908a0dacd43d","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-26T14:52:33Z/"}],"url":"https://gist.github.com/miyagawa/2b8764af908a0dacd43d"},{"reference_url":"https://metacpan.org/release/MIYAGAWA/Plack-Middleware-Session-0.23-TRIAL/changes","reference_id":"changes","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-26T14:52:33Z/"}],"url":"https://metacpan.org/release/MIYAGAWA/Plack-Middleware-Session-0.23-TRIAL/changes"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/103127?format=json","purl":"pkg:deb/debian/libplack-middleware-session-perl@0.24-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/libplack-middleware-session-perl@0.24-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/103124?format=json","purl":"pkg:deb/debian/libplack-middleware-session-perl@0.33-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-gur5-xp2t-7bgv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/libplack-middleware-session-perl@0.33-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/103122?format=json","purl":"pkg:deb/debian/libplack-middleware-session-perl@0.33-2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-gur5-xp2t-7bgv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/libplack-middleware-session-perl@0.33-2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/103126?format=json","purl":"pkg:deb/debian/libplack-middleware-session-perl@0.34-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-gur5-xp2t-7bgv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/libplack-middleware-session-perl@0.34-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/103125?format=json","purl":"pkg:deb/debian/libplack-middleware-session-perl@0.36-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/libplack-middleware-session-perl@0.36-1%3Fdistro=trixie"}],"aliases":["CVE-2014-125112"],"risk_score":3.5,"exploitability":"0.5","weighted_severity":"6.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-buem-pfzp-uqde"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70131?format=json","vulnerability_id":"VCID-dytq-dmmm-wuag","summary":"Plack-Middleware-Session: Plack-Middleware-Session: HMAC comparison timing attack vulnerability","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-10031.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-10031.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2013-10031","reference_id":"","reference_type":"","scores":[{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.12968","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.12957","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.13014","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.12928","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.13049","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00042","scoring_system":"epss","scoring_elements":"0.13053","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2013-10031"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-10031","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-10031"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2420282","reference_id":"2420282","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2420282"},{"reference_url":"https://github.com/plack/Plack-Middleware-Session/commit/b7f0252269ba1bb812b5dc02303754fe94c808e4","reference_id":"b7f0252269ba1bb812b5dc02303754fe94c808e4","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-09T19:53:02Z/"}],"url":"https://github.com/plack/Plack-Middleware-Session/commit/b7f0252269ba1bb812b5dc02303754fe94c808e4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/103123?format=json","purl":"pkg:deb/debian/libplack-middleware-session-perl@0.21-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/libplack-middleware-session-perl@0.21-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/103124?format=json","purl":"pkg:deb/debian/libplack-middleware-session-perl@0.33-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-gur5-xp2t-7bgv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/libplack-middleware-session-perl@0.33-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/103122?format=json","purl":"pkg:deb/debian/libplack-middleware-session-perl@0.33-2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-gur5-xp2t-7bgv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/libplack-middleware-session-perl@0.33-2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/103126?format=json","purl":"pkg:deb/debian/libplack-middleware-session-perl@0.34-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-gur5-xp2t-7bgv"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/libplack-middleware-session-perl@0.34-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/103125?format=json","purl":"pkg:deb/debian/libplack-middleware-session-perl@0.36-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/libplack-middleware-session-perl@0.36-1%3Fdistro=trixie"}],"aliases":["CVE-2013-10031"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dytq-dmmm-wuag"}],"risk_score":"3.3","resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/libplack-middleware-session-perl@0.34-1%3Fdistro=trixie"}