PYSEC-2024-158
See a problem?- Import Source
- https://github.com/pypa/advisory-database/blob/main/vulns/djoser/PYSEC-2024-158.yaml
- JSON Data
- https://api.test.osv.dev/v1/vulns/PYSEC-2024-158
- Aliases
- Published
- 2024-12-13T05:15:07Z
- Modified
- 2025-01-14T05:56:45.771986Z
- Summary
- [none]
- Details
-
Versions of the package djoser before 2.3.0 are vulnerable to Authentication Bypass when the authenticate() function fails. This is because the system falls back to querying the database directly, granting access to users with valid credentials, and eventually bypassing custom authentication checks such as two-factor authentication, LDAP validations, or requirements from configured AUTHENTICATION_BACKENDS.
- References
Affected packages
PyPI / djoser
Package
- Name
- djoser
- View open source insights on deps.dev
- Purl
- pkg:pypi/djoser
Affected ranges
- Type
- GIT
- Repo
- https://github.com/sunscrapers/djoser
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.3.0
Affected versions
0.*
0.0.1
0.0.2
0.0.3
0.1.0
0.2.0
0.2.1
0.3.0
0.3.1
0.3.2
0.4.0
0.4.1
0.4.2
0.4.3
0.5.0
0.5.1
0.5.2
0.5.3
0.5.4
0.6.0
0.7.0
1.*
1.0.0
1.0.1
1.1.0
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.2.2
1.3.3
1.4.1
1.5.1
1.6.0
1.7.0
2.*
2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.1.0
2.2.0a0
2.2.0
2.2.1
2.2.2
2.2.3