Insecure Permissions Affecting django-two-factor-auth package, versions [0,1.13)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-DJANGOTWOFACTORAUTH-1014668
- published 18 Oct 2020
- disclosed 1 Oct 2020
- credit moggers87
How to fix?
Upgrade django-two-factor-auth to version 1.13 or higher.
Overview
django-two-factor-auth is a Complete Two-Factor Authentication for Django
Affected versions of this package are vulnerable to Insecure Permissions. It is possible that if a site has been misconfigured and allows users to bypass django-two-factor-auth's login view (e.g. the admin site hasn't been configured correctly and admins can login without 2fa) and then disable that user's two-factor device(s). At this point an attacker could go set up a new two-factor and gain access to views protected by otp_required.This bug could also be exploited if the user has multiple sessions open before enabling two-factor auth. Any other session could then disable two-factor auth without having access to the device.