Bug 2277035 (CVE-2024-32879) - CVE-2024-32879 python-social-auth: Improper Handling of Case Sensitivity in social-auth-app-django
Summary: CVE-2024-32879 python-social-auth: Improper Handling of Case Sensitivity in s...
Keywords:
Status: NEW
Alias: CVE-2024-32879
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2277036
Blocks: 2277038
TreeView+ depends on / blocked
 
Reported: 2024-04-25 03:22 UTC by Avinash Hanwate
Modified: 2024-05-07 15:03 UTC (History)
26 users (show)

Fixed In Version: social-auth-app-django 5.4.1
Doc Type: ---
Doc Text:
A flaw was found in social-auth-app-django. In affected versions of this package, due to default case-insensitive collation in MySQL or MariaDB databases, third-party authentication user IDs are not case-sensitive and could cause different IDs to match.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Avinash Hanwate 2024-04-25 03:22:40 UTC 
Python Social Auth is a social authentication/registration mechanism. Prior to version 5.4.1, due to default case-insensitive collation in MySQL or MariaDB databases, third-party authentication user IDs are not case-sensitive and could cause different IDs to match. This issue has been addressed by a fix released in version 5.4.1. An immediate workaround would be to change collation of the affected field.

https://github.com/python-social-auth/social-app-django/commit/31c3e0c7edb187004d8abbde7e9c4f7ef9098138
https://github.com/python-social-auth/social-app-django/pull/566
https://github.com/python-social-auth/social-app-django/security/advisories/GHSA-2gr8-3wc7-xhj3
Note You need to log in before you can comment on or make changes to this bug.