Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improper Privilege Management in djangorestframework-simplejwt <= 5.3.1 #815

Open
isaka-james opened this issue Jul 12, 2024 · 4 comments
Open

Comments

@isaka-james
Copy link

isaka-james commented Jul 12, 2024

Improper Privilege Management Vulnerability

Description:
I recently came across a Dependabot alert on GitHub regarding an improper privilege management vulnerability in djangorestframework-simplejwt. I attempted to address this by upgrading to the latest version, only to discover that version 5.3.1 is the most recent release and it remains vulnerable.

The vulnerability allows a user to access web application resources even after their account has been disabled due to missing user validation checks via the for_user method.

Affected Versions:

  • djangorestframework-simplejwt (pip) <= 5.3.1

Patched Version:

  • None

Steps to Reproduce:

  1. Create a user account and log in.
  2. Disable the user account in the application.
  3. Attempt to access resources using the previously issued JWT token.

Expected Behavior:
The disabled user should not be able to access any resources.

Actual Behavior:
The disabled user can still access resources due to missing validation checks.

Possible Solution:
Implement validation checks in the for_user method to ensure that disabled users cannot access resources.

Reference
I was initially alerted to the issue by a dependency bot. Upon attempting to update the package, I discovered there was no updated version available on PyPI. I then checked the repository for recent updates, but none were available.

This issue is critical as it can lead to unauthorized access to resources by users who should no longer have access. Please prioritize this fix and release an updated version as soon as possible.

@adamJLev
Copy link

adamJLev commented Sep 10, 2024

This seems like something that is def worth fixing sooner than later, security should be #1 for a JWT framework. Anybody more familiar with the codebase have some time to look into this? 🙏🏼

@adamJLev
Copy link

Looks like there's a PR already but its a bit stalled
#804

@isaka-james
Copy link
Author

isaka-james commented Sep 11, 2024

It's better they fix it, and I see the last update is like from 5 months ago, Idk what is happening, If someone has contact to the guys it's worth telling them to update. I like this package because it is simple to use rather than some others.

RDxR10 added a commit to RDxR10/djangorestframework-simplejwt that referenced this issue Oct 9, 2024
@Andrew-Chen-Wang
Copy link
Member

Hi all I believe the CVE was previously discussed here: #779

The severity is marked as low, and we should document this for_user thing much better. I don't really have the time to get rid of the CVE though, however, before the next release, I'll update the docs and see what the analyst interprets with next steps.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants