CVE-2022-24857

django-mfa3 is a library that implements multi factor authentication for the django web framework. It achieves this by modifying the regular login view. Django however has a second login view for its admin area. This second login view was not modified, so the multi factor authentication can be bypassed. Users are affected if they have activated both django-mfa3 (< 0.5.0) and django.contrib.admin and have not taken any other measures to prevent users from accessing the admin login view. The issue has been fixed in django-mfa3 0.5.0. It is possible to work around the issue by overwriting the admin login route, e.g. by adding the following URL definition *before* the admin routes: url('admin/login/', lambda request: redirect(settings.LOGIN_URL)
Configurations

Configuration 1 (hide)

cpe:2.3:a:django-mfa3_project:django-mfa3:*:*:*:*:*:*:*:*

History

21 Nov 2024, 06:51

Type Values Removed Values Added
References () https://github.com/xi/django-mfa3/blob/main/CHANGES.md#050-2022-04-15 - Release Notes, Third Party Advisory () https://github.com/xi/django-mfa3/blob/main/CHANGES.md#050-2022-04-15 - Release Notes, Third Party Advisory
References () https://github.com/xi/django-mfa3/commit/32f656e22df120b84bdf010e014bb19bd97971de - Patch, Third Party Advisory () https://github.com/xi/django-mfa3/commit/32f656e22df120b84bdf010e014bb19bd97971de - Patch, Third Party Advisory
References () https://github.com/xi/django-mfa3/security/advisories/GHSA-3r7g-wrpr-j5g4 - Third Party Advisory () https://github.com/xi/django-mfa3/security/advisories/GHSA-3r7g-wrpr-j5g4 - Third Party Advisory
References () https://security.netapp.com/advisory/ntap-20220609-0003/ - Third Party Advisory () https://security.netapp.com/advisory/ntap-20220609-0003/ - Third Party Advisory
CVSS v2 : 6.5
v3 : 8.8
v2 : 6.5
v3 : 7.3

Information

Published : 2022-04-15 19:15

Updated : 2024-11-21 06:51


NVD link : CVE-2022-24857

Mitre link : CVE-2022-24857

CVE.ORG link : CVE-2022-24857


JSON object : View

Products Affected

django-mfa3_project

  • django-mfa3
CWE
CWE-287

Improper Authentication