CWE-1254
Incorrect Comparison Logic Granularity
The product's comparison logic is performed over a series of steps rather than across the entire string in one operation. If there is a comparison logic failure on one of these steps, the operation may be vulnerable to a timing attack that can result in the interception of the process for nefarious purposes.
CVE-2013-10031 (GCVE-0-2013-10031)
Vulnerability from cvelistv5
Published
2025-12-09 00:12
Modified
2025-12-11 14:36
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-1254 - Incorrect Comparison Logic Granularity
Summary
Plack-Middleware-Session versions before 0.17 may be vulnerable to HMAC comparison timing attacks
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| MIYAGAWA | Plack::Middleware::Session |
Version: 0.01 < 0.17 |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2013-10031",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-09T19:53:02.755963Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-11T14:36:31.485Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Plack-Middleware-Session",
"product": "Plack::Middleware::Session",
"programFiles": [
"lib/Plack/Middleware/Session/Cookie.pm"
],
"programRoutines": [
{
"name": "get_session"
}
],
"repo": "https://github.com/plack/Plack-Middleware-Session.git",
"vendor": "MIYAGAWA",
"versions": [
{
"lessThan": "0.17",
"status": "affected",
"version": "0.01",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Plack-Middleware-Session versions before 0.17 may be vulnerable to HMAC comparison timing attacks\u003cbr\u003e"
}
],
"value": "Plack-Middleware-Session versions before 0.17 may be vulnerable to HMAC comparison timing attacks"
}
],
"impacts": [
{
"capecId": "CAPEC-26",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-26 Leveraging Race Conditions"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1254",
"description": "CWE-1254 Incorrect Comparison Logic Granularity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T00:12:36.372Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/plack/Plack-Middleware-Session/commit/b7f0252269ba1bb812b5dc02303754fe94c808e4"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Upgrade to version 0.17 or higher"
}
],
"value": "Upgrade to version 0.17 or higher"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Plack::Middleware::Session versions before 0.17 for Perl may be vulnerable to HMAC comparison timing attacks",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2013-10031",
"datePublished": "2025-12-09T00:12:36.372Z",
"dateReserved": "2025-07-10T09:30:45.910Z",
"dateUpdated": "2025-12-11T14:36:31.485Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Phase: Implementation
Description:
- The hardware designer should ensure that comparison logic is implemented so as to compare in one operation instead in smaller chunks.
CAPEC-26: Leveraging Race Conditions
The adversary targets a race condition occurring when multiple processes access and manipulate the same resource concurrently, and the outcome of the execution depends on the particular order in which the access takes place. The adversary can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance, a race condition can occur while accessing a file: the adversary can trick the system by replacing the original file with their version and cause the system to read the malicious file.