CVE-2024-21543
5.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
Summary
Versions of the package djoser before 2.3.0 are vulnerable to Authentication Bypass when the authenticate() function fails. This is because the system falls back to querying the database directly, granting access to users with valid credentials, and eventually bypassing custom authentication checks such as two-factor authentication, LDAP validations, or requirements from configured AUTHENTICATION_BACKENDS.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| n/a | djoser | 0 < 2.3.0 | affected |
Weaknesses
- CWE-287: Authentication Bypass
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
CVE Program Container
Additional References
References
- https://security.snyk.io/vuln/SNYK-PYTHON-DJOSER-8366540
- https://github.com/sunscrapers/djoser/releases/tag/2.3.0
- https://github.com/sunscrapers/djoser/issues/795
- https://github.com/sunscrapers/djoser/pull/819
- https://github.com/sunscrapers/djoser/commit/d33c3993c0c735f23cbedc60fa59fce69354f19d
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.