CVE-2024-21543

Versions of the package djoser before 2.3.0 are vulnerable to Authentication Bypass when the authenticate() function fails. This is because the system falls back to querying the database directly, granting access to users with valid credentials, and eventually bypassing custom authentication checks such as two-factor authentication, LDAP validations, or requirements from configured AUTHENTICATION_BACKENDS.

Weakness

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Affected Software

Name	Vendor	Start Version	End Version
Djoser	Ubuntu	esm-apps/focal	*
Djoser	Ubuntu	esm-apps/jammy	*
Djoser	Ubuntu	esm-apps/noble	*
Djoser	Ubuntu	focal	*
Djoser	Ubuntu	jammy	*
Djoser	Ubuntu	noble	*
Djoser	Ubuntu	oracular	*
Djoser	Ubuntu	upstream	*

Potential Mitigations

https://cwe.mitre.org/data/definitions/114.html
https://cwe.mitre.org/data/definitions/115.html
https://cwe.mitre.org/data/definitions/151.html
https://cwe.mitre.org/data/definitions/194.html
https://cwe.mitre.org/data/definitions/22.html
https://cwe.mitre.org/data/definitions/57.html
https://cwe.mitre.org/data/definitions/593.html
https://cwe.mitre.org/data/definitions/633.html
https://cwe.mitre.org/data/definitions/650.html
https://cwe.mitre.org/data/definitions/94.html

References

https://github.com/sunscrapers/djoser/commit/d33c3993c0c735f23cbedc60fa59fce69354f19d
https://github.com/sunscrapers/djoser/issues/795
https://github.com/sunscrapers/djoser/pull/819
https://github.com/sunscrapers/djoser/releases/tag/2.3.0
https://security.snyk.io/vuln/SNYK-PYTHON-DJOSER-8366540
https://lists.debian.org/debian-lts-announce/2025/02/msg00023.html

NVD	https://nvd.nist.gov/vuln/detail/CVE-2024-21543
CWE	https://cwe.mitre.org/data/definitions/287.html

Improper Authentication

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References