========================================================================
CVE-2009-10007                                       CPAN Security Group
========================================================================

         CVE ID:  CVE-2009-10007
   Distribution:  Catalyst-Plugin-Authentication
       Versions:  before 0.10_027

       MetaCPAN: https://metacpan.org/dist/Catalyst-Plugin-Authentication
       VCS Repo:
https://github.com/perl-catalyst/Catalyst-Plugin-Authentication

Catalyst::Plugin::Authentication versions before 0.10_027 for Perl is
susceptible to session fixation attacks

Description
-----------
Catalyst::Plugin::Authentication versions before 0.10_027 for Perl is
susceptible to session fixation attacks.

Catalyst::Plugin::Authentication does not automatically change the
session id after authentication. An attacker that obtains a session id
cookie can use this to impersonate the victim.

Problem types
-------------
- CWE-384 Session Fixation

Workarounds
-----------
Users of Catalyst::Plugin::Session or Catalyst::Plugin::Starch should
call the change_session_id method after authentication.

Users of Plack::Middleware::Session should set the change_id flag after
logging in.

Users may also apply the linked patch.

Solutions
---------
Users should upgrade to version 0.10_027 or later.

References
----------
https://metacpan.org/release/ETHER/Catalyst-Plugin-Authentication-0.10_027/changes
https://github.com/perl-catalyst/Catalyst-Plugin-Authentication/commit/b1385ea87a2491b64f33169222af19982d0acce3.patch
https://metacpan.org/pod/Catalyst::Plugin::Session#change_session_id
https://metacpan.org/pod/Plack::Middleware::Session#change_id

Timeline
--------
- 2009-07-08: Catalyst::Plugin::Session version 0.25 released with the
   change_session_id method to protect against session fixation attacks,
   along with documentation how to use that with
   Catalyst::Plugin::Authentication
- 2026-06-07: Catalyst::Plugin::Authentication version 0.10_027
   released with change to avoid session fixation attacks