CVE-2024-21543
HIGHdjoser < 2.3.0 - Authentication Bypass via Database Query Fallback
Title source: llmDescription
Versions of the package djoser before 2.3.0 are vulnerable to Authentication Bypass when the authenticate() function fails. This is because the system falls back to querying the database directly, granting access to users with valid credentials, and eventually bypassing custom authentication checks such as two-factor authentication, LDAP validations, or requirements from configured AUTHENTICATION_BACKENDS.
References (6)
Core 6
Core References
Third Party Advisory
https://security.snyk.io/vuln/SNYK-PYTHON-DJOSER-8366540
Issue Tracking
https://github.com/sunscrapers/djoser/issues/795
Issue Tracking
https://github.com/sunscrapers/djoser/pull/819
Release Notes
https://github.com/sunscrapers/djoser/releases/tag/2.3.0
Scores
CVSS v3
7.1
EPSS
0.0015
EPSS Percentile
35.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-287
CWE-295
Status
published
Products (2)
n/a/djoser
< 2.3.0
pypi/djoser
0 - 2.3.0PyPI
Published
Dec 13, 2024
Tracked Since
Feb 18, 2026