CVE-2024-21543

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-21543

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-21543.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-21543

Aliases

Downstream

DEBIAN-CVE-2024-21543

DLA-4060-1

UBUNTU-CVE-2024-21543

USN-7354-1

Published

2024-12-13T05:15:07Z

Modified

2025-10-22T18:19:57.258950Z

Severity

5.7 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator

Summary

[none]

Details

Versions of the package djoser before 2.3.0 are vulnerable to Authentication Bypass when the authenticate() function fails. This is because the system falls back to querying the database directly, granting access to users with valid credentials, and eventually bypassing custom authentication checks such as two-factor authentication, LDAP validations, or requirements from configured AUTHENTICATION_BACKENDS.

References

Affected packages

Git / github.com/sunscrapers/djoser

Affected ranges

Type: GIT
Repo: https://github.com/sunscrapers/djoser
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

d33c3993c0c735f23cbedc60fa59fce69354f19d

Fixed

db80fc721290b3acf5cfccaffc6dbd7b2d009947

Affected versions

0.*

0.2.1

0.3.0

0.3.1

0.4.0

0.4.1

0.4.3

0.5.0

0.5.1

0.5.2

0.5.3

0.5.4

0.6.0

0.7.0

1.*

1.0.0

1.0.1

1.1.0

1.1.1

1.1.2

1.1.3

1.1.4

1.1.5

1.2.0

1.2.1

1.3.0

1.3.1

1.3.2

1.4.0

1.5.0

1.5.1

1.6.0

1.7.0

2.*

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.1.0

2.2.1

2.2.2