2277035 – (CVE-2024-32879) CVE-2024-32879 python-social-auth: Improper Handling of Case Sensitivity in social-auth-app-django

Bug 2277035 (CVE-2024-32879) - CVE-2024-32879 python-social-auth: Improper Handling of Case Sensitivity in social-auth-app-django

Summary: CVE-2024-32879 python-social-auth: Improper Handling of Case Sensitivity in s...

Keywords:
Status:	NEW
Alias:	CVE-2024-32879
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2277036
Blocks:	2277038
TreeView+	depends on / blocked

Reported:	2024-04-25 03:22 UTC by Avinash Hanwate
Modified:	2025-04-01 08:28 UTC (History)
CC List:	28 users (show)
Fixed In Version:	social-auth-app-django 5.4.1
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2024:3781	0	None	None	None	2024-06-10 18:37:50 UTC
Red Hat Product Errata	RHSA-2024:6428	0	None	None	None	2024-09-05 14:10:27 UTC

Description Avinash Hanwate 2024-04-25 03:22:40 UTC

Python Social Auth is a social authentication/registration mechanism. Prior to version 5.4.1, due to default case-insensitive collation in MySQL or MariaDB databases, third-party authentication user IDs are not case-sensitive and could cause different IDs to match. This issue has been addressed by a fix released in version 5.4.1. An immediate workaround would be to change collation of the affected field.

https://github.com/python-social-auth/social-app-django/commit/31c3e0c7edb187004d8abbde7e9c4f7ef9098138
https://github.com/python-social-auth/social-app-django/pull/566
https://github.com/python-social-auth/social-app-django/security/advisories/GHSA-2gr8-3wc7-xhj3

Comment 2 errata-xmlrpc 2024-06-10 18:37:48 UTC

This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 9
  Red Hat Ansible Automation Platform 2.4 for RHEL 8

Via RHSA-2024:3781 https://access.redhat.com/errata/RHSA-2024:3781

Comment 3 errata-xmlrpc 2024-09-05 14:10:24 UTC

This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 9
  Red Hat Ansible Automation Platform 2.4 for RHEL 8

Via RHSA-2024:6428 https://access.redhat.com/errata/RHSA-2024:6428

Note You need to log in before you can comment on or make changes to this bug.

adudiak
bbuckingham
bcourt
davidn
ehelms
epacific
jcammara
jhardy
jmitchel
jneedle
jobarker
jsherril
jtanner
kshier
lzap
mabashia
mhulan
nmoumoul
omaciel
orabin
pcreech
rchan
simaishi
smcdonal
stcannon
teagle
yguenane
zsadeh