CVE-2019-1010084

Vulnerability

In Dancer::Plugin::SimpleCRUD version 1.14 and earlier, the _ensure_auth() wrapper was incorrectly invoked in void context at multiple points in the codebase. The function is designed to return a coderef that performs authentication checks (via Dancer::Plugin::Auth::Extensible's require_login/require_role) before executing the original handler. However, calling it in void context discards the returned coderef, leaving the original unauthenticated route handler in place. This means authentication checks are never applied to routes that were intended to be protected. The issue was introduced in the plugin's design and affects all versions up to and including 1.14 [1].

Exploitation

An attacker can access any route that was supposed to be protected by authentication without providing any credentials. No special network position or user interaction is required; the attacker simply sends a request to the vulnerable endpoint. The vulnerability is present in all routes where _ensure_auth() was used incorrectly. The fix involves assigning the returned coderef to the route handler instead of calling the function in void context [1].

Impact

Successful exploitation allows an attacker to bypass authentication and gain unauthorized access to data managed by the CRUD plugin. The impact is information disclosure (reading, modifying, or deleting data) depending on the route's functionality. The attacker gains the same level of access as an authenticated user without needing to authenticate, potentially leading to full compromise of the application's data [1].

Mitigation

The fix was implemented in pull request #109 and released in version 1.15 (or later). Users should upgrade to the latest version of Dancer::Plugin::SimpleCRUD. If upgrading is not immediately possible, a workaround is to manually apply the changes from the pull request, ensuring that _ensure_auth() is called in a context that captures its return value and assigns it as the route handler. No CVE-specific KEV listing is known [1].