Fluid Attacks Database

Description

djoser Authentication Bypass Versions of the package djoser before 2.3.0 are vulnerable to Authentication Bypass when the authenticate() function fails. This is because the system falls back to querying the database directly, granting access to users with valid credentials, and eventually bypassing custom authentication checks such as two-factor authentication, LDAP validations, or requirements from configured AUTHENTICATION_BACKENDS.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
pypi	djoser	>=0 <2.3.0	2.3.0
debian 12	djoser	=2.1.0-1 \|\| >=0 <2.1.0-1+deb12u1	2.1.0-1+deb12u1
debian 13	djoser	>=0 <2.3.1-1	2.3.1-1
debian 11	djoser	=2.1.0-1 \|\| >=0 <2.1.0-1+deb11u1	2.1.0-1+deb11u1
debian 14	djoser	>=0 <2.3.1-1	2.3.1-1

Aliases

1. CVE-2024-215432. NVD-2024-215433. OSV-2024-215434. OSV-DEBIAN-2024-215435. GCVE-2024-215436. lists.debian.org7. SECURITY-TRACKER-CVE-2024-21543

References

1. https://github.com/sunscrapers/djoser/issues/7952. https://github.com/sunscrapers/djoser/pull/8193. https://github.com/sunscrapers/djoser/commit/d33c3993c0c735f23cbedc60fa59fce69354f19d4. https://github.com/pypa/advisory-database/tree/main/vulns/djoser/PYSEC-2024-158.yaml5. https://github.com/sunscrapers/djoser/releases/tag/2.3.0

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.