Versions of the package djoser before 2.3.0 are vulnerable to Authentication Bypass when the authenticate() function fails. This is because the system falls back to querying the database directly, granting access to users with valid credentials, and eventually bypassing custom authentication checks such as two-factor authentication, LDAP validations, or requirements from configured AUTHENTICATION_BACKENDS.
Metrics
Affected Vendors & Products
References
History
Fri, 13 Dec 2024 20:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Weaknesses | CWE-295 | |
Metrics |
ssvc
|
Fri, 13 Dec 2024 05:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | Versions of the package djoser before 2.3.0 are vulnerable to Authentication Bypass when the authenticate() function fails. This is because the system falls back to querying the database directly, granting access to users with valid credentials, and eventually bypassing custom authentication checks such as two-factor authentication, LDAP validations, or requirements from configured AUTHENTICATION_BACKENDS. | |
Weaknesses | CWE-287 | |
References |
| |
Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: snyk
Published: 2024-12-13T05:00:16.747Z
Updated: 2024-12-13T19:54:55.397Z
Reserved: 2023-12-22T12:33:20.124Z
Link: CVE-2024-21543
Vulnrichment
Updated: 2024-12-13T19:54:45.619Z
NVD
Status : Received
Published: 2024-12-13T05:15:07.653
Modified: 2024-12-13T20:15:19.613
Link: CVE-2024-21543
Redhat
No data.