Vulnerability DatabaseCVE-2024-21543
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2024-21543
December 13, 2024
Versions of the package djoser before 2.3.0 are vulnerable to Authentication Bypass when the authenticate() function fails. This is because the system falls back to querying the database directly, granting access to users with valid credentials, and eventually bypassing custom authentication checks such as two-factor authentication, LDAP validations, or requirements from configured AUTHENTICATION_BACKENDS.
Related ResourcesĀ (9)
https://github.com/pypa/advisory-database/tree/main/vulns/djoser/PYSEC-2024-158.yaml
https://security-tracker.debian.org/tracker/CVE-2024-21543
https://github.com/sunscrapers/djoser
https://github.com/sunscrapers/djoser/pull/819
https://nvd.nist.gov/vuln/detail/CVE-2024-21543
https://lists.debian.org/debian-lts-announce/2025/02/msg00023.html
https://github.com/sunscrapers/djoser/issues/795
https://github.com/sunscrapers/djoser/commit/d33c3993c0c735f23cbedc60fa59fce69354f19d
https://github.com/sunscrapers/djoser/releases/tag/2.3.0
Do you need more information?
Contact Us
CVSS v4
Base Score:
5.7
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
LOW
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
Exploit Maturity
POC
CVSS v3
Base Score:
7.1
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
LOW
Availability
NONE
Weakness Type (CWE)
Improper Authentication
CWE-287
Improper Certificate Validation
CWE-295
EPSS
Base Score:
0.11