Source: djoser Version: 2.1.0-1 Severity: grave Tags: security upstream Forwarded: https://github.com/sunscrapers/djoser/issues/795 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for djoser. Making it RC to be on safe side. CVE-2024-21543[0]: | Versions of the package djoser before 2.3.0 are vulnerable to | Authentication Bypass when the authenticate() function fails. This | is because the system falls back to querying the database directly, | granting access to users with valid credentials, and eventually | bypassing custom authentication checks such as two-factor | authentication, LDAP validations, or requirements from configured | AUTHENTICATION_BACKENDS. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-21543 https://www.cve.org/CVERecord?id=CVE-2024-21543 [1] https://github.com/sunscrapers/djoser/issues/795 [2] https://github.com/sunscrapers/djoser/commit/d33c3993c0c735f23cbedc60fa59fce69354f19d Regards, Salvatore
