-
Notifications
You must be signed in to change notification settings - Fork 671
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improper Privilege Management in djangorestframework-simplejwt <= 5.3.1 #815
Comments
This seems like something that is def worth fixing sooner than later, security should be #1 for a JWT framework. Anybody more familiar with the codebase have some time to look into this? 🙏🏼 |
Looks like there's a PR already but its a bit stalled |
It's better they fix it, and I see the last update is like from 5 months ago, Idk what is happening, If someone has contact to the guys it's worth telling them to update. I like this package because it is simple to use rather than some others. |
Fix for Issue jazzband#815
Hi all I believe the CVE was previously discussed here: #779 The severity is marked as low, and we should document this for_user thing much better. I don't really have the time to get rid of the CVE though, however, before the next release, I'll update the docs and see what the analyst interprets with next steps. |
Improper Privilege Management Vulnerability
Description:
I recently came across a Dependabot alert on GitHub regarding an improper privilege management vulnerability in
djangorestframework-simplejwt
. I attempted to address this by upgrading to the latest version, only to discover that version 5.3.1 is the most recent release and it remains vulnerable.The vulnerability allows a user to access web application resources even after their account has been disabled due to missing user validation checks via the
for_user
method.Affected Versions:
Patched Version:
Steps to Reproduce:
Expected Behavior:
The disabled user should not be able to access any resources.
Actual Behavior:
The disabled user can still access resources due to missing validation checks.
Possible Solution:
Implement validation checks in the
for_user
method to ensure that disabled users cannot access resources.Reference
I was initially alerted to the issue by a dependency bot. Upon attempting to update the package, I discovered there was no updated version available on PyPI. I then checked the repository for recent updates, but none were available.
This issue is critical as it can lead to unauthorized access to resources by users who should no longer have access. Please prioritize this fix and release an updated version as soon as possible.
The text was updated successfully, but these errors were encountered: