CVE-2020-10594

Name of the Vulnerable Software and Affected Versions drf-jwt versions 1.15.x before 1.15.1

Description An issue in drf-jwt allows attackers with access to a notionally invalidated token to obtain a new, working token via the "refresh endpoint", because the blacklist protection mechanism is incompatible with the token-refresh feature. drf-jwt is a fork of jpadilla/django-rest-framework-jwt, which is unmaintained.

Recommendations For versions 1.15.x before 1.15.1, update to version 1.15.1 or later to resolve the issue. As a temporary workaround, consider disabling the token-refresh feature until a patch is available. Restrict access to the refresh endpoint to minimize the risk of exploitation.