Python Social Auth is a social authentication/registration mechanism. In versions prior to 5.6.0, upon authentication, the user could be associated by e-mail even if the associate_by_email pipeline was not included. This could lead to account compromise when a third-party authentication service does not validate provided e-mail addresses or doesnt require unique e-mail addresses. Version 5.6.0 contains a patch. As a workaround, review the authentication service policy on e-mail addresses; many will not allow exploiting this vulnerability.
Weakness
The requirements for the product dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Social-auth-app-django | Ubuntu | plucky | * |
Related Attack Patterns
References
- https://github.com/python-social-auth/social-app-django/commit/10c80e2ebabeccd4e9c84ad0e16e1db74148ed4c
- https://github.com/python-social-auth/social-app-django/issues/220
- https://github.com/python-social-auth/social-app-django/issues/231
- https://github.com/python-social-auth/social-app-django/issues/634
- https://github.com/python-social-auth/social-app-django/pull/803
- https://github.com/python-social-auth/social-app-django/security/advisories/GHSA-wv4w-6qv2-qqfg
- https://github.com/python-social-auth/social-app-django/issues/220
- https://github.com/python-social-auth/social-app-django/issues/231
- https://github.com/python-social-auth/social-app-django/issues/634