Lucene search

Veracode Vulnerability DatabaseVERACODE:45978

HistoryMar 22, 2024 - 11:44 a.m.

Missing Authorization Check

2024-03-2211:44:24

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

djangorestframework_simplejwt

missing authorization check

for_user()

is_active field

authentication bypass

7.2 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

50.8%

JSON

djangorestframework_simplejwt is vulnerable to Missing Authorization Check. The vulnerability is due to the for_user() function which fails to check if a user is active before generation. Django’s built in user model contains the is_active field which can be used to block a user from authenticating. If an application utilizes the is_active field to block access, a user can generate a valid JWT token even when their user contains is_active= false, resulting in authentication bypass.

CPENameOperatorVersion
djangorestframework-simplejwtle5.3.1
djangorestframework-simplejwtle5.3.1

CPE	Name	Operator	Version
	djangorestframework-simplejwt	le	5.3.1
	djangorestframework-simplejwt	le	5.3.1

References

docs.djangoproject.com/en/5.0/ref/contrib/auth/#django.contrib.auth.models.User.is_active

github.com/dmdhrumilmistry/CVEs/tree/main/CVE-2024-22513

github.com/jazzband/djangorestframework-simplejwt/blob/c791e987332ed5e22a86428160d6372b1d85ffae/rest_framework_simplejwt/tokens.py#L281

github.com/jazzband/djangorestframework-simplejwt/issues/779