QwikSec

Security Database

CVE

CWE

Training

CVE-2024-21543

Published: Dec 13, 2024

Modified: Feb 20, 2025

PUBLISHED

CVSS v3.1

7.1

HIGH

Description

Versions of the package djoser before 2.3.0 are vulnerable to Authentication Bypass when the authenticate() function fails. This is because the system falls back to querying the database directly, granting access to users with valid credentials, and eventually bypassing custom authentication checks such as two-factor authentication, LDAP validations, or requirements from configured AUTHENTICATION_BACKENDS.

Vendor	Product	Versions
n/a	djoser	affected `0 - < 2.3.0`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N/E:P

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

None

References

https://security.snyk.io/vuln/SNYK-PYTHON-DJOSER-8366540

https://github.com/sunscrapers/djoser/releases/tag/2.3.0

https://github.com/sunscrapers/djoser/issues/795

https://github.com/sunscrapers/djoser/pull/819

https://github.com/sunscrapers/djoser/commit/d33c3993c0c735f23cbedc60fa59fce69354f19d

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

CVE-2024-21543 | HIGH (7.1) - Security Vulnerability | QwikSec