CVE-2024-21543

Name of the Vulnerable Software and Affected Versions djoser versions prior to 2.3.0

Description The issue allows for Authentication Bypass when the authenticate() function fails, causing the system to fall back to querying the database directly. This grants access to users with valid credentials and bypasses custom authentication checks, including two-factor authentication, LDAP validations, or requirements from configured AUTHENTICATION BACKENDS.

Recommendations For versions prior to 2.3.0, update to version 2.3.0 or later to resolve the issue. As a temporary workaround, consider disabling the authenticate() function until a patch is available. Restrict access to custom authentication modules to minimize the risk of exploitation. Avoid relying solely on the AUTHENTICATION BACKENDS for authentication until the issue is resolved.