CVE-2014-125112

NameCVE-2014-125112
DescriptionPlack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution. Plack::Middleware::Session::Cookie versions through 0.21 has a security vulnerability where it allows an attacker to execute arbitrary code on the server during deserialization of the cookie data, when there is no secret used to sign the cookie.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libplack-middleware-session-perl (PTS)bullseye0.33-1fixed
bookworm0.33-2fixed
trixie0.34-1fixed
forky, sid0.36-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libplack-middleware-session-perlsource(unstable)0.24-1

Notes

https://gist.github.com/miyagawa/2b8764af908a0dacd43d
https://lists.security.metacpan.org/cve-announce/msg/38287006/
Version 0.23 changed the warning to error, when secret is not set.
Search for package or bug name: Reporting problems