Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <7eb3b13a-570c-4825-b327-b0cc68f55288@cpansec.org>
Date: Fri, 17 Jul 2026 13:51:07 +0100
From: Robert Rothenberg <rrwo@...nsec.org>
To: cve-announce@...urity.metacpan.org, oss-security@...ts.openwall.com
Subject: CVE-2026-13410: Dancer::Plugin::Auth::Google versions through 0.07
 for Perl have TLS verification disabled


========================================================================
CVE-2026-13410                                       CPAN Security Group
========================================================================

         CVE ID:  CVE-2026-13410
   Distribution:  Dancer-Plugin-Auth-Google
       Versions:  through 0.07

       MetaCPAN: https://metacpan.org/dist/Dancer-Plugin-Auth-Google
       VCS Repo:  https://github.com/garu/Dancer-Plugin-Auth-Google


Dancer::Plugin::Auth::Google versions through 0.07 for Perl have TLS
verification disabled

Description
-----------
Dancer::Plugin::Auth::Google versions through 0.07 for Perl have TLS
verification disabled.

The default user agent is initialised with SSL_verify_mode explicitly
disabled.

An attacker with network man-in-the-middle (MITM) capability between
the Dancer application and googleapis.com can intercept the OAuth2
token exchange and userinfo fetch, return a forged access_token and
user profile, and be logged in to the Dancer application as any Google
user.

Problem types
-------------
- CWE-295 Improper Certificate Validation

Workarounds
-----------
There is no caller-side override.

Apply the patch.


References
----------
https://github.com/garu/Dancer-Plugin-Auth-Google/pull/5
https://security.metacpan.org/patches/D/Dancer-Plugin-Auth-Google/0.07/CVE-2026-13410-r1.patch
https://metacpan.org/pod/Furl#HTTPS-requests-claims-warnings!



Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.