CVE-2024-21543 HIGH

CVE-2024-21543

Vendor N/A
Product djoser
Weakness CWE-287 · Improper authentication
Published December 13, 2024
Last update February 20, 2025

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N/E:P

What the vulnerability does

01Description

Versions of the package djoser before 2.3.0 are vulnerable to Authentication Bypass when the authenticate() function fails. This is because the system falls back to querying the database directly, granting access to users with valid credentials, and eventually bypassing custom authentication checks such as two-factor authentication, LDAP validations, or requirements from configured AUTHENTICATION_BACKENDS.

Key dates

02Disclosure timeline

December 13, 2024 CVE published
February 20, 2025 Record updated