Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-2gr8-3wc7-xhj3: social-auth-app-django affected by Improper Handling of Case Sensitivity

Impact

Due to default case-insensitive collation in MySQL or MariaDB databases, third-party authentication user IDs are not case-sensitive and could cause different IDs to match.

Patches

This issue has been addressed by https://github.com/python-social-auth/social-app-django/pull/566 and fix released in 5.4.1.

Workarounds

An immediate workaround would be to change collation of the affected field:

ALTER TABLE `social_auth_association` MODIFY `uid` varchar(255) COLLATE `utf8_bin`;

References

This issue was discovered by folks at https://opencraft.com/.

ghsa
#sql#git#auth

Package

pip social-auth-app-django (pip)

Affected versions

< 5.4.1

Patched versions

5.4.1

Description

Impact

Due to default case-insensitive collation in MySQL or MariaDB databases, third-party authentication user IDs are not case-sensitive and could cause different IDs to match.

Patches

This issue has been addressed by python-social-auth/social-app-django#566 and fix released in 5.4.1.

Workarounds

An immediate workaround would be to change collation of the affected field:

ALTER TABLE `social_auth_association` MODIFY `uid` varchar(255) COLLATE `utf8_bin`;

References

This issue was discovered by folks at https://opencraft.com/.

References

  • GHSA-2gr8-3wc7-xhj3
  • python-social-auth/social-app-django#566
  • python-social-auth/social-app-django@31c3e0c

nijel published to python-social-auth/social-app-django

Apr 24, 2024

Published to the GitHub Advisory Database

Apr 24, 2024

Reviewed

Apr 24, 2024

Last updated

Apr 24, 2024

Related news

Red Hat Security Advisory 2024-6428-03

Red Hat Security Advisory 2024-6428-03 - An update is now available for Red Hat Ansible Automation Platform 2.4. Issues addressed include denial of service, memory exhaustion, remote SQL injection, and traversal vulnerabilities.

Red Hat Security Advisory 2024-3781-03

Red Hat Security Advisory 2024-3781-03 - An update is now available for Red Hat Ansible Automation Platform 2.4. Issues addressed include HTTP request smuggling, buffer overflow, code execution, cross site scripting, denial of service, memory exhaustion, null pointer, and password leak vulnerabilities.