|
|
Message-ID: <7eb3b13a-570c-4825-b327-b0cc68f55288@cpansec.org> Date: Fri, 17 Jul 2026 13:51:07 +0100 From: Robert Rothenberg <rrwo@...nsec.org> To: cve-announce@...urity.metacpan.org, oss-security@...ts.openwall.com Subject: CVE-2026-13410: Dancer::Plugin::Auth::Google versions through 0.07 for Perl have TLS verification disabled ======================================================================== CVE-2026-13410 CPAN Security Group ======================================================================== CVE ID: CVE-2026-13410 Distribution: Dancer-Plugin-Auth-Google Versions: through 0.07 MetaCPAN: https://metacpan.org/dist/Dancer-Plugin-Auth-Google VCS Repo: https://github.com/garu/Dancer-Plugin-Auth-Google Dancer::Plugin::Auth::Google versions through 0.07 for Perl have TLS verification disabled Description ----------- Dancer::Plugin::Auth::Google versions through 0.07 for Perl have TLS verification disabled. The default user agent is initialised with SSL_verify_mode explicitly disabled. An attacker with network man-in-the-middle (MITM) capability between the Dancer application and googleapis.com can intercept the OAuth2 token exchange and userinfo fetch, return a forged access_token and user profile, and be logged in to the Dancer application as any Google user. Problem types ------------- - CWE-295 Improper Certificate Validation Workarounds ----------- There is no caller-side override. Apply the patch. References ---------- https://github.com/garu/Dancer-Plugin-Auth-Google/pull/5 https://security.metacpan.org/patches/D/Dancer-Plugin-Auth-Google/0.07/CVE-2026-13410-r1.patch https://metacpan.org/pod/Furl#HTTPS-requests-claims-warnings!
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.