Vulnerability Description
Versions of the package djoser before 2.3.0 are vulnerable to Authentication Bypass when the authenticate() function fails. This is because the system falls back to querying the database directly, granting access to users with valid credentials, and eventually bypassing custom authentication checks such as two-factor authentication, LDAP validations, or requirements from configured AUTHENTICATION_BACKENDS.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://github.com/sunscrapers/djoser/commit/d33c3993c0c735f23cbedc60fa59fce6935
- https://github.com/sunscrapers/djoser/issues/795
- https://github.com/sunscrapers/djoser/pull/819
- https://github.com/sunscrapers/djoser/releases/tag/2.3.0
- https://security.snyk.io/vuln/SNYK-PYTHON-DJOSER-8366540
- https://lists.debian.org/debian-lts-announce/2025/02/msg00023.html
FAQ
What is CVE-2024-21543?
CVE-2024-21543 is a vulnerability with a CVSS score of 7.1 (HIGH). Versions of the package djoser before 2.3.0 are vulnerable to Authentication Bypass when the authenticate() function fails. This is because the system falls back to querying the database directly, gra...
How severe is CVE-2024-21543?
CVE-2024-21543 has been rated HIGH with a CVSS base score of 7.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-21543?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.