[dancer-users] Dancer::Plugin::SimpleCRUD security update

David Precious davidp at preshweb.co.uk
Sun May 6 20:12:48 BST 2018

Hi all,

Importance notice for anyone using Dancer::Plugin::SimpleCRUD - if you
use the `auth` option to control access to the CRUD interface/routes
via DPAE, then please update to 1.15 immediately; previous versions
contain a security vulnerability as a result of incorrect calls to
_ensure_auth(), meaning that only some routes are correctly protected,
and some others aren't.

Full details can be see in PR #109 which fixes this problem:

This is a pretty embarassing fuckup - a security problem on one of my
projects. I hold my hands up and apologise to anyone affected by this,
for this is a stupid mistake. A better test suite would have caught

I'm not sure if a CVE ID is warranted or not, but I have submitted a
request for one via Distributed Weakness Filing Project, so they can
decide if one is required for this or not.

So, again, please upgrade immediately if you rely on the `auth` option,
and sorry.

Also, many many thanks to Josh Rabinowitz (joshrabinowitz) for finding
this problem and submitting a test which illustrates it.


Dave P (bigpresh)

More information about the dancer-users mailing list