Improper Authorization Affecting django-two-factor-auth package, versions [,1.13)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-DJANGOTWOFACTORAUTH-6514867
- published 1 Apr 2024
- disclosed 1 Apr 2024
- credit Matt Molyneaux
How to fix?
Upgrade django-two-factor-auth to version 1.13 or higher.
Overview
django-two-factor-auth is a Complete Two-Factor Authentication for Django
Affected versions of this package are vulnerable to Improper Authorization. This issue arises when a site's configuration permits users to circumvent the necessary two-factor authentication (2FA) process for login, such as improperly configured admin logins that allow access without 2FA. Consequently, an attacker can disable a user's two-factor devices and establish a new 2FA setup to access areas requiring one-time passwords (OTP). Additionally, this vulnerability could be exploited through any of the user's multiple active sessions, enabling the attacker to deactivate 2FA without needing the physical device.