django-two-factor-auth@0.2.2 vulnerabilities

Complete Two-Factor Authentication for Django

Direct Vulnerabilities

Known vulnerabilities in the django-two-factor-auth package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Improper Authorization

django-two-factor-auth is a Complete Two-Factor Authentication for Django

Affected versions of this package are vulnerable to Improper Authorization. This issue arises when a site's configuration permits users to circumvent the necessary two-factor authentication (2FA) process for login, such as improperly configured admin logins that allow access without 2FA. Consequently, an attacker can disable a user's two-factor devices and establish a new 2FA setup to access areas requiring one-time passwords (OTP). Additionally, this vulnerability could be exploited through any of the user's multiple active sessions, enabling the attacker to deactivate 2FA without needing the physical device.

How to fix Improper Authorization?

Upgrade django-two-factor-auth to version 1.13 or higher.

[,1.13)
  • M
Insecure Permissions

django-two-factor-auth is a Complete Two-Factor Authentication for Django

Affected versions of this package are vulnerable to Insecure Permissions. It is possible that if a site has been misconfigured and allows users to bypass django-two-factor-auth's login view (e.g. the admin site hasn't been configured correctly and admins can login without 2fa) and then disable that user's two-factor device(s). At this point an attacker could go set up a new two-factor and gain access to views protected by otp_required.This bug could also be exploited if the user has multiple sessions open before enabling two-factor auth. Any other session could then disable two-factor auth without having access to the device.

How to fix Insecure Permissions?

Upgrade django-two-factor-auth to version 1.13 or higher.

[0,1.13)
  • M
Insufficiently Protected Credentials

django-two-factor-auth is a Complete Two-Factor Authentication for Django

Affected versions of this package are vulnerable to Insufficiently Protected Credentials. It stores the user's password in clear text in the user session (base64-encoded).

How to fix Insufficiently Protected Credentials?

Upgrade django-two-factor-auth to version 1.12 or higher.

[,1.12)