Open isaka-james opened 4 months ago
adamJLev
commented
2 months ago This seems like something that is def worth fixing sooner than later, security should be #1 for a JWT framework. Anybody more familiar with the codebase have some time to look into this? 🙏🏼
adamJLev
commented
2 months ago Looks like there's a PR already but its a bit stalled https://github.com/jazzband/djangorestframework-simplejwt/pull/804
isaka-james
commented
2 months ago It's better they fix it, and I see the last update is like from 5 months ago, Idk what is happening, If someone has contact to the guys it's worth telling them to update. I like this package because it is simple to use rather than some others.
Improper Privilege Management Vulnerability
Description: I recently came across a Dependabot alert on GitHub regarding an improper privilege management vulnerability in
djangorestframework-simplejwt. I attempted to address this by upgrading to the latest version, only to discover that version 5.3.1 is the most recent release and it remains vulnerable.The vulnerability allows a user to access web application resources even after their account has been disabled due to missing user validation checks via the
for_usermethod.Affected Versions:
Patched Version:
Steps to Reproduce:
Expected Behavior: The disabled user should not be able to access any resources.
Actual Behavior: The disabled user can still access resources due to missing validation checks.
Possible Solution: Implement validation checks in the
for_usermethod to ensure that disabled users cannot access resources.Reference I was initially alerted to the issue by a dependency bot. Upon attempting to update the package, I discovered there was no updated version available on PyPI. I then checked the repository for recent updates, but none were available.
This issue is critical as it can lead to unauthorized access to resources by users who should no longer have access. Please prioritize this fix and release an updated version as soon as possible.