Versions of the package djoser before 2.3.0 are vulnerable to Authentication Bypass when the authenticate() function fails. This is because the system falls back to querying the database directly, granting access to users with valid credentials, and eventually bypassing custom authentication checks such as two-factor authentication, LDAP validations, or requirements from configured AUTHENTICATION_BACKENDS.
History

Fri, 13 Dec 2024 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-295
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 13 Dec 2024 05:15:00 +0000

Type Values Removed Values Added
Description Versions of the package djoser before 2.3.0 are vulnerable to Authentication Bypass when the authenticate() function fails. This is because the system falls back to querying the database directly, granting access to users with valid credentials, and eventually bypassing custom authentication checks such as two-factor authentication, LDAP validations, or requirements from configured AUTHENTICATION_BACKENDS.
Weaknesses CWE-287
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N/E:P'}

cvssV4_0

{'score': 5.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}


cve-icon MITRE

Status: PUBLISHED

Assigner: snyk

Published: 2024-12-13T05:00:16.747Z

Updated: 2024-12-13T19:54:55.397Z

Reserved: 2023-12-22T12:33:20.124Z

Link: CVE-2024-21543

cve-icon Vulnrichment

Updated: 2024-12-13T19:54:45.619Z

cve-icon NVD

Status : Received

Published: 2024-12-13T05:15:07.653

Modified: 2024-12-13T20:15:19.613

Link: CVE-2024-21543

cve-icon Redhat

No data.