{
   "document": {
      "category": "csaf_security_advisory",
      "csaf_version": "2.0",
      "distribution": {
         "tlp": {
            "label": "WHITE",
            "url": "https://www.first.org/tlp/"
         }
      },
      "lang": "en",
      "notes": [
         {
            "category": "description",
            "text": "Mojo::Util secure_compare can leak the string length. By immediately returning when the two strings are not the same length, the function allows an attacker to guess the length of the secret string using timing attacks.",
            "title": "Vulnerability Description"
         }
      ],
      "publisher": {
         "category": "other",
         "contact_details": "gdt@cpan.org",
         "name": "giterlizzi",
         "namespace": "https://github.com/giterlizzi/"
      },
      "references": [
         {
            "category": "self",
            "summary": "CPANSA-Mojolicious-2020-01 JSON",
            "url": "https://raw.githubusercontent.com/giterlizzi/perl-CPANSA-CSAF/develop/csaf/white/2020/cpansa-mojolicious-2020-01.json"
         },
         {
            "category": "external",
            "summary": "https://github.com/mojolicious/mojo/pull/1601",
            "url": "https://github.com/mojolicious/mojo/pull/1601"
         },
         {
            "category": "external",
            "summary": "CVE-2020-36829 (NVD)",
            "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36829"
         }
      ],
      "title": "Mojolicious vulnerability",
      "tracking": {
         "current_release_date": "2020-11-10T00:00:00",
         "generator": {
            "engine": {
               "name": "CSAF Perl Toolkit",
               "version": "0.26"
            }
         },
         "id": "CPANSA-Mojolicious-2020-01",
         "initial_release_date": "2020-11-10T00:00:00",
         "revision_history": [
            {
               "date": "2020-11-10T00:00:00",
               "number": "1",
               "summary": "First release"
            }
         ],
         "status": "final",
         "version": "1"
      }
   },
   "product_tree": {
      "branches": [
         {
            "branches": [
               {
                  "category": "product_version_range",
                  "name": "vers:cpan/>1.74|<8.65",
                  "product": {
                     "name": "Mojolicious greater than 1.74 and less than 8.65",
                     "product_id": "CSAFPID-0001"
                  }
               },
               {
                  "category": "product_version_range",
                  "name": "vers:cpan/>=8.65",
                  "product": {
                     "name": "Mojolicious greater than or equal 8.65",
                     "product_id": "CSAFPID-0002"
                  }
               }
            ],
            "category": "product_name",
            "name": "Mojolicious"
         }
      ]
   },
   "vulnerabilities": [
      {
         "cve": "CVE-2020-36829",
         "notes": [
            {
               "category": "description",
               "text": "The Mojolicious module before 8.65 for Perl is vulnerable to secure_compare timing attacks that allow an attacker to guess the length of a secret string. Only versions after 1.74 are affected.",
               "title": "Vulnerability Description"
            }
         ],
         "product_status": {
            "fixed": [
               "CSAFPID-0002"
            ],
            "known_affected": [
               "CSAFPID-0001"
            ]
         },
         "scores": [
            {
               "cvss_v3": {
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  "version": "3.1"
               },
               "products": [
                  "CSAFPID-0001"
               ]
            }
         ]
      }
   ]
}