PYSEC-2020-40

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/drf-jwt/PYSEC-2020-40.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2020-40

Aliases

CVE-2020-10594
GHSA-fpjm-rp2g-3r4c

Published

2020-03-15T22:15:00Z

Modified

2023-11-08T04:01:58.465385Z

Summary

[none]

Details

An issue was discovered in drf-jwt 1.15.x before 1.15.1. It allows attackers with access to a notionally invalidated token to obtain a new, working token via the refresh endpoint, because the blacklist protection mechanism is incompatible with the token-refresh feature. NOTE: drf-jwt is a fork of jpadilla/django-rest-framework-jwt, which is unmaintained.

References

https://github.com/jpadilla/django-rest-framework-jwt/issues/484
https://pypi.org/project/drf-jwt/1.15.1/#history
https://github.com/Styria-Digital/django-rest-framework-jwt/issues/36
https://github.com/advisories/GHSA-fpjm-rp2g-3r4c

Affected packages

PyPI / drf-jwt

Package

Name: drf-jwt; View open source insights on deps.dev
Purl: pkg:pypi/drf-jwt

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.15.0

Fixed

1.15.1

Affected versions

1.*

1.15.0