CVE-2009-10007 - Vulnerability Details - OpenCVE

Catalyst::Plugin::Authentication versions before 0.10_027 for Perl is susceptible to session fixation attacks. Catalyst::Plugin::Authentication does not automatically change the session id after authentication. An attacker that obtains a session id cookie can use this to impersonate the victim.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

No data.

References

Link	Providers
https://github.com/perl-catalyst/Catalyst-Plugin-Authentication/commit/b1385ea87a2491b64f33169222af19982d0acce3.patch
https://metacpan.org/pod/Catalyst::Plugin::Session#change_session_id
https://metacpan.org/pod/Plack::Middleware::Session#change_id
https://metacpan.org/release/ETHER/Catalyst-Plugin-Authentication-0.10_027/changes

History

Tue, 09 Jun 2026 08:45:00 +0000

Type	Values Removed	Values Added
Description		Catalyst::Plugin::Authentication versions before 0.10_027 for Perl is susceptible to session fixation attacks. Catalyst::Plugin::Authentication does not automatically change the session id after authentication. An attacker that obtains a session id cookie can use this to impersonate the victim.
Title		Catalyst::Plugin::Authentication versions before 0.10_027 for Perl is susceptible to session fixation attacks
Weaknesses		CWE-384
References		https://github.com/perl-catalyst/Catalyst-Plugin-Authentication/commit/b1385ea87a2491b64f33169222af19982d0acce3.patch https://metacpan.org/pod/Catalyst::Plugin::Session#change_session_id https://metacpan.org/pod/Plack::Middleware::Session#change_id https://metacpan.org/release/ETHER/Catalyst-Plugin-Authentication-0.10_027/changes

MITRE

Status: PUBLISHED

Assigner: CPANSec

Published: 2026-06-09T07:34:51.909Z

Updated: 2026-06-09T07:39:45.324Z

Reserved: 2026-06-05T09:22:17.762Z

Link: CVE-2009-10007

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-09T09:16:27.183

Modified: 2026-06-09T09:16:27.183

Link: CVE-2009-10007

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2009-10007", "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "state": "PUBLISHED", "assignerShortName": "CPANSec", "dateReserved": "2026-06-05T09:22:17.762Z", "datePublished": "2026-06-09T07:34:51.909Z", "dateUpdated": "2026-06-09T07:39:45.324Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://cpan.org/modules", "defaultStatus": "unaffected", "packageName": "Catalyst-Plugin-Authentication", "product": "Catalyst::Plugin::Authentication", "repo": "https://github.com/perl-catalyst/Catalyst-Plugin-Authentication", "vendor": "ETHER", "versions": [{"lessThan": "0.10_027", "status": "affected", "version": "0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Catalyst::Plugin::Authentication versions before 0.10_027 for Perl is susceptible to session fixation attacks.\n\nCatalyst::Plugin::Authentication does not automatically change the session id after authentication. An attacker that obtains a session id cookie can use this to impersonate the victim."}], "impacts": [{"capecId": "CAPEC-61", "descriptions": [{"lang": "en", "value": "CAPEC-61 Session Fixation"}]}, {"capecId": "CAPEC-115", "descriptions": [{"lang": "en", "value": "CAPEC-115 Authentication Bypass"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-384", "description": "CWE-384 Session Fixation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "shortName": "CPANSec", "dateUpdated": "2026-06-09T07:39:45.324Z"}, "references": [{"tags": ["release-notes"], "url": "https://metacpan.org/release/ETHER/Catalyst-Plugin-Authentication-0.10_027/changes"}, {"tags": ["patch"], "url": "https://github.com/perl-catalyst/Catalyst-Plugin-Authentication/commit/b1385ea87a2491b64f33169222af19982d0acce3.patch"}, {"url": "https://metacpan.org/pod/Catalyst::Plugin::Session#change_session_id"}, {"url": "https://metacpan.org/pod/Plack::Middleware::Session#change_id"}], "solutions": [{"lang": "en", "value": "Users should upgrade to version 0.10_027 or later."}], "source": {"discovery": "UNKNOWN"}, "timeline": [{"lang": "en", "time": "2009-07-08T00:00:00.000Z", "value": "Catalyst::Plugin::Session version 0.25 released with the change_session_id method to protect against session fixation attacks, along with documentation how to use that with Catalyst::Plugin::Authentication"}, {"lang": "en", "time": "2026-06-07T00:00:00.000Z", "value": "Catalyst::Plugin::Authentication version 0.10_027 released with change to avoid session fixation attacks"}], "title": "Catalyst::Plugin::Authentication versions before 0.10_027 for Perl is susceptible to session fixation attacks", "workarounds": [{"lang": "en", "value": "Users of Catalyst::Plugin::Session or Catalyst::Plugin::Starch should call the change_session_id method after authentication.\n\nUsers of Plack::Middleware::Session should set the change_id flag after logging in.\n\nUsers may also apply the linked patch."}], "x_generator": {"engine": "cpansec-cna-tool 0.1"}}}}