Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improper Privilege Management in djangorestframework-simplejwt <= 5.3.1 #815

Open
isaka-james opened this issue Jul 12, 2024 · 3 comments
Open

Improper Privilege Management in djangorestframework-simplejwt <= 5.3.1 #815

isaka-james opened this issue Jul 12, 2024 · 3 comments

Comments

@isaka-james
Copy link

isaka-james commented Jul 12, 2024
edited
Loading

Improper Privilege Management Vulnerability

Description:
I recently came across a Dependabot alert on GitHub regarding an improper privilege management vulnerability in djangorestframework-simplejwt. I attempted to address this by upgrading to the latest version, only to discover that version 5.3.1 is the most recent release and it remains vulnerable.

The vulnerability allows a user to access web application resources even after their account has been disabled due to missing user validation checks via the for_user method.

Affected Versions:

  • djangorestframework-simplejwt (pip) <= 5.3.1

Patched Version:

  • None

Steps to Reproduce:

  1. Create a user account and log in.
  2. Disable the user account in the application.
  3. Attempt to access resources using the previously issued JWT token.

Expected Behavior:
The disabled user should not be able to access any resources.

Actual Behavior:
The disabled user can still access resources due to missing validation checks.

Possible Solution:
Implement validation checks in the for_user method to ensure that disabled users cannot access resources.

Reference
I was initially alerted to the issue by a dependency bot. Upon attempting to update the package, I discovered there was no updated version available on PyPI. I then checked the repository for recent updates, but none were available.

This issue is critical as it can lead to unauthorized access to resources by users who should no longer have access. Please prioritize this fix and release an updated version as soon as possible.
@derlih derlih mentioned this issue Aug 31, 2024
Closed
@adamJLev
Copy link

adamJLev commented Sep 10, 2024
edited
Loading

This seems like something that is def worth fixing sooner than later, security should be #1 for a JWT framework. Anybody more familiar with the codebase have some time to look into this? 🙏🏼

@adamJLev
Copy link

Looks like there's a PR already but its a bit stalled
#804

@isaka-james
Copy link
Author

isaka-james commented Sep 11, 2024
edited
Loading

It's better they fix it, and I see the last update is like from 5 months ago, Idk what is happening, If someone has contact to the guys it's worth telling them to update. I like this package because it is simple to use rather than some others.

RDxR10 added a commit to RDxR10/djangorestframework-simplejwt that referenced this issue Oct 9, 2024
@RDxR10
Update tokens.py
71fabdf 
Fix for Issue jazzband#815
@RDxR10 RDxR10 mentioned this issue Oct 9, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@adamJLev @isaka-james