PyPi: Django-Mfa3

CVE-2022-24857

Safety vulnerability ID: 48171

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Apr 15, 2022 Updated at Jan 20, 2025

Scan your Python projects for vulnerabilities →

Advisory

Django-mfa3 0.5.0 includes a fix for CVE-2022-24857: Django-mfa3 is a library that implements multi factor authentication for the django web framework. It achieves this by modifying the regular login view. Django however has a second login view for its admin area. This second login view was not modified, so the multi factor authentication can be bypassed. Users are affected if they have activated both django-mfa3 (< 0.5.0) and django.contrib.admin and have not taken any other measures to prevent users from accessing the admin login view. It is possible to work around the issue by overwriting the admin login route, e.g. by adding the following URL definition before the admin routes: url('admin/login/', lambda request: redirect(settings.LOGIN_URL).
https://github.com/xi/django-mfa3/security/advisories/GHSA-3r7g-wrpr-j5g4

Affected package

django-mfa3

Latest version: 0.15.0

multi factor authentication for django

Affected versions

Fixed versions

Vulnerability changelog

django-mfa3 is a library that implements multi factor authentication for the django web framework. It achieves this by modifying the regular login view. Django however has a second login view for its admin area. This second login view was not modified, so the multi factor authentication can be bypassed. Users are affected if they have activated both django-mfa3 (< 0.5.0) and django.contrib.admin and have not taken any other measures to prevent users from accessing the admin login view. The issue has been fixed in django-mfa3 0.5.0. It is possible to work around the issue by overwriting the admin login route, e.g. by adding the following URL definition *before* the admin routes: url('admin/login/', lambda request: redirect(settings.LOGIN_URL) See CVE-2022-24857.

CONFIRM:https://github.com/xi/django-mfa3/security/advisories/GHSA-3r7g-wrpr-j5g4: https://github.com/xi/django-mfa3/security/advisories/GHSA-3r7g-wrpr-j5g4
MISC:https://github.com/xi/django-mfa3/blob/main/CHANGES.md#050-2022-04-15: https://github.com/xi/django-mfa3/blob/main/CHANGES.md#050-2022-04-15
MISC:https://github.com/xi/django-mfa3/commit/32f656e22df120b84bdf010e014bb19bd97971de: https://github.com/xi/django-mfa3/commit/32f656e22df120b84bdf010e014bb19bd97971de

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

HIGH 8.8

CVSS v3 Details

HIGH 8.8

Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): LOW
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality Impact (C): HIGH
Integrity Impact (I): HIGH
Availability Availability (A): HIGH

CVSS v2 Details

MEDIUM 6.5

Access Vector (AV): NETWORK
Access Complexity (AC): LOW
Authentication (Au): SINGLE
Confidentiality Impact (C): PARTIAL
Integrity Impact (I): PARTIAL
Availability Impact (A): PARTIAL