Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-24857: django-mfa3/CHANGES.md at main · xi/django-mfa3

django-mfa3 is a library that implements multi factor authentication for the django web framework. It achieves this by modifying the regular login view. Django however has a second login view for its admin area. This second login view was not modified, so the multi factor authentication can be bypassed. Users are affected if they have activated both django-mfa3 (< 0.5.0) and django.contrib.admin and have not taken any other measures to prevent users from accessing the admin login view. The issue has been fixed in django-mfa3 0.5.0. It is possible to work around the issue by overwriting the admin login route, e.g. by adding the following URL definition before the admin routes: url('admin/login/’, lambda request: redirect(settings.LOGIN_URL)

CVE
Open in Source
#web#js#auth

Permalink

Cannot retrieve contributors at this time

0.6.0 (2022-06-08)

  • Adapt to fido2 1.0.0

0.5.1 (2022-06-08)

  • Pin fido2 dependency

0.5.0 (2022-04-15)

  • Security fix: The admin login was not adapted, so it could be used to bypass MFA. As a fix, django-mfa3 will now automatically patch AdminSite so the admin login redirects to regular login. (CVE-2022-24857)
  • Drop support for django 2.2
  • Use a more efficient string encoding for FIDO2 messages

0.4.0 (2022-01-25)

  • Drop support for python 3.6, add support for python 3.10
  • Drop support for django 3.1, add support for django 4.0
  • No longer include MFA code in credentials for user_login_failed

0.3.0 (2021-08-25)

  • Add recovery codes. Check the example templates for references to “recovery” to see what needs to be changed.
  • Add new setting MFA_METHODS to change the set of enabled methods.

0.2.5 (2021-07-18)

  • Fix usage with custom User models that use a different username field (thanks to Ashok Argent-Katwala)

0.2.4 (2021-07-07)

  • Security fix: Do not allow users to see the names of/delete other user’s keys (secrets were not leaked)

0.2.3 (2021-07-05)

  • Fix packaging: include .mo files

0.2.2 (2021-07-05)

  • Fix packaging: include templatetags

0.2.1 (2021-07-02)

  • Fix packaging: exclude tests

0.2.0 (2021-07-02)

  • Convert qrcode to template filter. In templates, change {{ mfa_data.qrcode|safe }} to {% load mfa %} {{ mfa_data.url|qrcode }}.
  • Fix form validation on missing code
  • Add german translation
  • Use never_cache and sensitive_post_parameters decorators
  • Do not generate a new challenge on validation errors

0.1.0 (2021-06-29)

  • Trigger user_login_failed on failed second factor. This can be used to integrating with external rate limiting solutions such as django-axes.
  • Fix: include JS files in python package
  • Render qrcode server-side
  • Convenience: redirect to TOTP auth if no FIDO2 key exists
  • Add optional MFAEnforceMiddleware
  • Tweak admin UI
  • Tweak example templates

0.0.0 (2021-06-21)

initial release

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE