PYSEC-2022-192

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/django-mfa3/PYSEC-2022-192.yaml

JSON Data

https://api.test.osv.dev/v1/vulns/PYSEC-2022-192

Aliases

Published

2022-04-15T19:15:00Z

Modified

2023-11-01T04:58:10.968161Z

Summary

[none]

Details

django-mfa3 is a library that implements multi factor authentication for the django web framework. It achieves this by modifying the regular login view. Django however has a second login view for its admin area. This second login view was not modified, so the multi factor authentication can be bypassed. Users are affected if they have activated both django-mfa3 (< 0.5.0) and django.contrib.admin and have not taken any other measures to prevent users from accessing the admin login view. The issue has been fixed in django-mfa3 0.5.0. It is possible to work around the issue by overwriting the admin login route, e.g. by adding the following URL definition before the admin routes: url('admin/login/', lambda request: redirect(settings.LOGIN_URL)

References

Affected packages

PyPI / django-mfa3

Package

Name: django-mfa3; View open source insights on deps.dev
Purl: pkg:pypi/django-mfa3

Affected ranges

Type: GIT
Repo: https://github.com/xi/django-mfa3
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

32f656e22df120b84bdf010e014bb19bd97971de

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.5.0

Affected versions

0.*

0.0.0

0.1.0

0.2.0

0.2.1

0.2.2

0.2.3

0.2.4

0.2.5

0.3.0

0.4.0