[原文]CGI::Session 4.03-1 does not set proper permissions on temporary files created in (1) Driver::File and (2) Driver::db_file, which allows local users to obtain privileged information, such as session keys, by viewing the files.
CGI::Session Session File Permission Weakness Local Information Disclosure
Local Access Required
Loss of Confidentiality
CGI::Session contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when Driver::File creates a session file without setting permissions. With a standard umask setting, the session file will be world readable, resulting in a loss of confidentiality.
Currently, there are no known workarounds or upgrades to correct this issue. However, Julien Danjou has released a patch to address this vulnerability.