Severity by source
Sources disagree (Medium–Critical)AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution.
Plack::Middleware::Session::Cookie versions through 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server during deserialization of the cookie data, when there is no secret used to sign the cookie.
AnalysisAI
Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Technical ContextAI
This vulnerability is classified under CWE-565. Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution. Plack::Middleware::Session::Cookie versions through 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server during deserialization of the cookie data, when there is no secret used to sign the cookie. Affected products include: Miyagawa Plack. Version information: through 0.21.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
Header injection filtering bypass in Plack::Middleware::Security::Common (Perl) versions prior to 0.13.1 allows remote a
Plack::Middleware::Statsd versions before 0.9.0 leak user IP addresses to unsecured statsd daemons via unencrypted UDP c
Plack::App::File in Plack before 1.0031 removes trailing slash characters from paths, which allows remote attackers to b
Same technique Deserialization
View allVendor StatusVendor
Ubuntu
Priority: Medium| Release | Status | Version |
|---|---|---|
| xenial | needs-triage | - |
| bionic | needs-triage | - |
| focal | needs-triage | - |
| jammy | not-affected | 0.33-1 |
| noble | not-affected | - |
| questing | not-affected | - |
| upstream | released | 0.24-1 |
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | fixed | 0.33-1 | - |
| bookworm | fixed | 0.33-2 | - |
| trixie | fixed | 0.34-1 | - |
| forky, sid | fixed | 0.36-1 | - |
| (unstable) | fixed | 0.24-1 | - |
SUSE
Severity: CriticalShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2014-9820
GHSA-58qr-v987-vh6w