CVE-2024-21543
CVE-2024-21543
Vexday Risk Score
13Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 5.7EPSS 0.5%KEV nãoPoC —Nuclei —Metasploit —Patch —
Ciclo de vida
13 dic 2024Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
Versions of the package djoser before 2.3.0 are vulnerable to Authentication Bypass when the authenticate() function fails. This is because the system falls back to querying the database directly, granting access to users with valid credentials, and eventually bypassing custom authentication checks such as two-factor authentication, LDAP validations, or requirements from configured AUTHENTICATION_BACKENDS.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
Productos afectados
n/a · djoser¿Quieres saber si tu infraestructura está expuesta a esto?
Hablar con TrueHacking →Referencias
https://github.com/sunscrapers/djoser/commit/d33c3993c0c735f23cbedc60fa59fce69354f19dhttps://github.com/sunscrapers/djoser/issues/795https://github.com/sunscrapers/djoser/pull/819https://github.com/sunscrapers/djoser/releases/tag/2.3.0https://lists.debian.org/debian-lts-announce/2025/02/msg00023.htmlhttps://security.snyk.io/vuln/SNYK-PYTHON-DJOSER-8366540