#VU93861 Observable discrepancy in Mojolicious - CVE-2020-36829


Vulnerability identifier: #VU93861

Vulnerability risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-36829

CWE-ID: CWE-203

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Mojolicious
Other software / Other software solutions

Vendor: SRI

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to observable discrepancy when comparing passwords. A remote attacker can guess the length of a secret string.


Mitigation
Install updates from vendor's website.

Vulnerable software versions

Mojolicious: 5.28 - 8.64

External links
https://github.com/mojolicious/mojo/pull/1601
https://github.com/mojolicious/mojo/issues/1599

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


openEuler 22.03 LTS update for perl-Mojolicious
openEuler 20.03 LTS SP4 update for perl-Mojolicious
openEuler 20.03 LTS SP1 update for perl-Mojolicious
Information disclosure in Mojolicious