CVE-2024-21543

NameCVE-2024-21543
DescriptionVersions of the package djoser before 2.3.0 are vulnerable to Authentication Bypass when the authenticate() function fails. This is because the system falls back to querying the database directly, granting access to users with valid credentials, and eventually bypassing custom authentication checks such as two-factor authentication, LDAP validations, or requirements from configured AUTHENTICATION_BACKENDS.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1089915

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
djoser (PTS)stretch0.5.2-1vulnerable
buster1.4.0-1vulnerable
sid, trixie, bullseye, bookworm2.1.0-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
djosersourcestretch(unfixed)end-of-life
djosersourcebuster(unfixed)end-of-life
djosersource(unstable)(unfixed)1089915

Notes

https://github.com/sunscrapers/djoser/issues/795
https://github.com/sunscrapers/djoser/pull/819
https://github.com/sunscrapers/djoser/commit/d33c3993c0c735f23cbedc60fa59fce69354f19d (2.3.0)

Search for package or bug name: Reporting problems