Product Research Enterprise Plans Docs

PyPi: Django-Oauth-Toolkit

CVE-2022-36087

Transitive

Safety vulnerability ID: 73082

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Sep 09, 2022 Updated at Sep 07, 2024

Scan your Python projects for vulnerabilities →

Advisory

Django-oauth-toolkit upgrades oauthlib to 3.2.2+ to address CVE-2022-36087.

Affected package

django-oauth-toolkit

Latest version: 3.0.1

OAuth2 Provider for Django

Affected versions

Fixed versions

Vulnerability changelog

WARNING - POTENTIAL BREAKING CHANGES
* Changes to the `AbstractAccessToken` model require doing a `manage.py migrate` after upgrading.
* If you use swappable models you will need to make sure your custom models are also updated (usually `manage.py makemigrations`).
* Old Django versions below 4.2 are no longer supported.
* A few deprecations warned about in 2.4.0 (1345) have been removed. See below.

Added
* 1366 Add Docker containerized apps for testing IDP and RP.
* 1454 Added compatibility with `LoginRequiredMiddleware` introduced in Django 5.1.

Changed
* Many documentation and project internals improvements.
* 1446 Use generic models `pk` instead of `id`. This enables, for example, custom swapped models to have a different primary key field.
* 1447 Update token to TextField from CharField. Removing the 255 character limit enables supporting JWT tokens with additional claims.
This adds a SHA-256 `token_checksum` field that is used to validate tokens.
* 1450 Transactions wrapping writes of the Tokens now rely on Django's database routers to determine the correct
database to use instead of assuming that 'default' is the correct one.
* 1455 Changed minimum supported Django version to >=4.2.

Removed
* 1425 Remove deprecated `RedirectURIValidator`, `WildcardSet` per 1345; `validate_logout_request` per 1274

Fixed
* 1444, 1476 Fix several 500 errors to instead raise appropriate errors.
* 1469 Fix `ui_locales` request parameter triggers `AttributeError` under certain circumstances

Security
* 1452 Add a new setting [`REFRESH_TOKEN_REUSE_PROTECTION`](https://django-oauth-toolkit.readthedocs.io/en/latest/settings.html#refresh-token-reuse-protection).
In combination with [`ROTATE_REFRESH_TOKEN`](https://django-oauth-toolkit.readthedocs.io/en/latest/settings.html#rotate-refresh-token),
this prevents refresh tokens from being used more than once. See more at
[OAuth 2.0 Security Best Current Practice](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-29#name-recommendations)
* 1481 Bump oauthlib version required to 3.2.2 and above to address [CVE-2022-36087](https://github.com/advisories/GHSA-3pgj-pg6c-r5p7).

Resources

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36087

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

MEDIUM 6.5

CVSS v3 Details

MEDIUM 6.5

Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality Impact (C): NONE
Integrity Impact (I): NONE
Availability Availability (A): HIGH