CVE-2024-32879

social-auth-app-django Improper Handling of Case Sensitivity vulnerability

Severity Score

4.9

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

Python Social Auth is a social authentication/registration mechanism. Prior to version 5.4.1, due to default case-insensitive collation in MySQL or MariaDB databases, third-party authentication user IDs are not case-sensitive and could cause different IDs to match. This issue has been addressed by a fix released in version 5.4.1. An immediate workaround would be to change collation of the affected field.

Python Social Auth es un mecanismo de autenticación/registro social. Antes de la versión 5.4.1, debido a la intercalación predeterminada que no distingue entre mayúsculas y minúsculas en las bases de datos MySQL o MariaDB, los ID de usuario de autenticación de terceros no distinguen entre mayúsculas y minúsculas y podrían hacer que coincidan diferentes ID. Este problema se solucionó mediante una solución publicada en la versión 5.4.1. Un workaround inmediata sería cambiar la clasificación del campo afectado.

A flaw was found in social-auth-app-django. In affected versions of this package, due to default case-insensitive collation in MySQL or MariaDB databases, third-party authentication user IDs are not case-sensitive and could cause different IDs to match.

*Credits: N/A

CVSS Scores

GitHubv3.1 4.9

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-04-19 CVE Reserved
2024-04-24 CVE Published
2024-04-25 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-178: Improper Handling of Case Sensitivity
CWE-303: Incorrect Implementation of Authentication Algorithm

CAPEC

References (5)

URL	Tag	Source
https://github.com/python-social-auth/social-app-django/commit/31c3e0c7edb187004d8abbde7e9c4f7ef9098138	X_refsource_misc
https://github.com/python-social-auth/social-app-django/pull/566	X_refsource_misc
https://github.com/python-social-auth/social-app-django/security/advisories/GHSA-2gr8-3wc7-xhj3	X_refsource_confirm

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-32879	2024-09-05
https://bugzilla.redhat.com/show_bug.cgi?id=2277035	2024-09-05

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Python-social-auth Search vendor "Python-social-auth"		Social-app-django Search vendor "Python-social-auth" for product "Social-app-django"				< 5.4.1 Search vendor "Python-social-auth" for product "Social-app-django" and version " < 5.4.1"		en		Affected