CVE-2024-21543

NameCVE-2024-21543
DescriptionVersions of the package djoser before 2.3.0 are vulnerable to Authentication Bypass when the authenticate() function fails. This is because the system falls back to querying the database directly, granting access to users with valid credentials, and eventually bypassing custom authentication checks such as two-factor authentication, LDAP validations, or requirements from configured AUTHENTICATION_BACKENDS.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-4060-1
Debian Bugs1089915

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
djoser (PTS)bullseye (security)2.1.0-1+deb11u1fixed
bookworm, bullseye2.1.0-1vulnerable
sid, trixie2.3.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
djosersourcebullseye2.1.0-1+deb11u1DLA-4060-1
djosersource(unstable)2.3.1-11089915

Notes

[bookworm] - djoser <no-dsa> (Minor issue; can be fixed via point release)
https://github.com/sunscrapers/djoser/issues/795
https://github.com/sunscrapers/djoser/pull/819
https://github.com/sunscrapers/djoser/commit/d33c3993c0c735f23cbedc60fa59fce69354f19d (2.3.0)
Search for package or bug name: Reporting problems