DescriptionThe session.lua library in CGILua 5.2 alpha 1 and 5.2 alpha 2 uses weak session IDs generated based on OS time, which allows remote attackers to hijack arbitrary sessions via a brute force attack. NOTE: CVE-2014-10399 and CVE-2014-10400 were SPLIT from this ID.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs953037

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
lua-cgi (PTS)buster5.2~alpha2-1vulnerable
sid, trixie, bookworm5.2~alpha2-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs

The code itself is broken and thus cannot be exploited per se if not fixed,
see details in

Search for package or bug name: Reporting problems