CVE-2024-21543

Dec. 13, 2024, 8:15 p.m.

7.1
High

Description

Versions of the package djoser before 2.3.0 are vulnerable to Authentication Bypass when the authenticate() function fails. This is because the system falls back to querying the database directly, granting access to users with valid credentials, and eventually bypassing custom authentication checks such as two-factor authentication, LDAP validations, or requirements from configured AUTHENTICATION_BACKENDS.

Product(s) Impacted

Product Versions
djoser
  • ['before 2.3.0']

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-287
Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
CWE-295
Improper Certificate Validation
The product does not validate, or incorrectly validates, a certificate.

References

https://github.com/sunscrapers/djoser/commit/d33c3993c0c735f23cbedc60fa59fce69354f19d
https://github.com/sunscrapers/djoser/issues/795
https://github.com/sunscrapers/djoser/pull/819
https://github.com/sunscrapers/djoser/releases/tag/2.3.0
https://security.snyk.io/vuln/SNYK-PYTHON-DJOSER-8366540

Tags

CWE-295
CWE-287
report@snyk.io
2024-12-13
CVE-2024-21543

CVSS Score

7.1 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: LOW
  • Scope: UNCHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: LOW
  • Availability Impact: NONE

    • CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

    View Vector String

Timeline

Published: Dec. 13, 2024, 5:15 a.m.
Last Modified: Dec. 13, 2024, 8:15 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

report@snyk.io

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.