Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reported vulnerability in 5.3.1 #805

Open
apacha opened this issue May 6, 2024 · 3 comments
Open

Reported vulnerability in 5.3.1 #805

apacha opened this issue May 6, 2024 · 3 comments

Comments

@apacha
Copy link

apacha commented May 6, 2024

Safety vulnerability scanner reports the following vulnerability in the latest version of this package:

-> Vulnerability found in djangorestframework-simplejwt version 5.3.1
   Vulnerability ID: 66963
   Affected spec: <=5.3.1
   ADVISORY: djangorestframework-simplejwt version 5.3.1 and before is
   vulnerable to information disclosure. A user can access web application...
   CVE-2024-22513
   For more information, please visit
   https://data.safetycli.com/v/66963/f17
 Scan was completed. 1 vulnerability was found.
@SimSama
Copy link

SimSama commented May 9, 2024

Curious reader here myself.

I was reading over the code here and I think the vulnerability is very low (explanation below). I think the framework could be better designed to prevent token generation, I'll look at at forking and testing later this week.

###From the CVE
from django.contrib.auth.models import User
from rest_framework_simplejwt.tokens import AccessToken

create inactive user

inactive_user_id = User.objects.create_user('testuser', 'test@example.com', 'testPassw0rd!', is_active=False).id

django application programmer generates token for the inactive user

AccessToken.for_user(User.objects.get(id=inactive_user_id)) # error should be raised since user is inactive

django application verifying user token

AccessToken.for_user(User.objects.get(id=inactive_user_id)).verify() # no exception is raised during verification of inactive user token

So the argument here is that you can still create a token manually, and verify the token if user is disabled, however you cannot login with that token. In authenticate module, the get_user function explicitly raises error if user is inactive.

if not user.is_active:
raise AuthenticationFailed(_("User is inactive"), code="user_inactive")

So you can manually generate all the tokens you want, but you can't login and view sensitive data if user disabled. A setting to disable token generation if user disabled default is a simple ask however.

I haven't explicitly tested, I'll see if I can do that this week.

@Marpop
Copy link

Marpop commented May 13, 2024

Is is possible to silence safety error then?
https://data.safetycli.com/v/66963/97c/
maybe it's question for safety

@miseas
Copy link

miseas commented May 20, 2024
edited
Loading

This issue is already mentioned here #779
And also possible fix #804

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@apacha @miseas @Marpop @SimSama