GHSA-2gr8-3wc7-xhj3

Source

https://github.com/advisories/GHSA-2gr8-3wc7-xhj3

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-2gr8-3wc7-xhj3/GHSA-2gr8-3wc7-xhj3.json

Aliases

CVE-2024-32879

Published

2024-04-24T18:47:21Z

Modified

2024-04-24T21:47:48.801341Z

Details

Impact

Due to default case-insensitive collation in MySQL or MariaDB databases, third-party authentication user IDs are not case-sensitive and could cause different IDs to match.

Patches

This issue has been addressed by https://github.com/python-social-auth/social-app-django/pull/566 and fix released in 5.4.1.

Workarounds

An immediate workaround would be to change collation of the affected field:

ALTER TABLE `social_auth_association` MODIFY `uid` varchar(255) COLLATE `utf8_bin`;

References

This issue was discovered by folks at https://opencraft.com/.

References

Affected packages

PyPI / social-auth-app-django

Package

Name: social-auth-app-django

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0The exact introduced commit is unknown

Fixed

5.4.1

Affected versions

0.*

0.0.1

0.1.0

1.*

1.0.0

1.0.1

1.1.0

1.2.0

2.*

2.0.0

2.1.0

3.*

3.0.0

3.1.0

3.3.0

3.4.0

4.*

4.0.0

5.*

5.0.0

5.1.0

5.2.0

5.3.0

5.4.0