CVE-2024-21543: Versions of the package djoser before 2.3.0 are vulnerable to Authentication Bypass when the authenticate() function fails. This is because the...

5.7 CVSS

Description

Versions of the package djoser before 2.3.0 are vulnerable to Authentication Bypass when the authenticate() function fails. This is because the system falls back to querying the database directly, granting access to users with valid credentials, and eventually bypassing custom authentication checks such as two-factor authentication, LDAP validations, or requirements from configured AUTHENTICATION_BACKENDS.

Classification

CVE ID: CVE-2024-21543

CVSS Base Severity: MEDIUM

CVSS Base Score: 5.7

Affected Products

Vendor: n/a

Product: djoser

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 17.83% (scored less or equal to compared to others)

EPSS Date: 2025-02-04 (when was this score calculated)

References

https://security.snyk.io/vuln/SNYK-PYTHON-DJOSER-8366540
https://github.com/sunscrapers/djoser/releases/tag/2.3.0
https://github.com/sunscrapers/djoser/issues/795
https://github.com/sunscrapers/djoser/pull/819
https://github.com/sunscrapers/djoser/commit/d33c3993c0c735f23cbedc60fa59fce69354f19d

Timeline

2024-12-14 00:30:20 UTC
CVE

Versions of the package djoser before 2.3.0 are vulnerable to Authentication Bypass when the authenticate() function fails. This is because the...
2024-12-18 15:15:21 UTC
Github Advisory Database (PIP)

[djoser] djoser Authentication Bypass