Headline
GHSA-2gr8-3wc7-xhj3: social-auth-app-django affected by Improper Handling of Case Sensitivity
Impact
Due to default case-insensitive collation in MySQL or MariaDB databases, third-party authentication user IDs are not case-sensitive and could cause different IDs to match.
Patches
This issue has been addressed by https://github.com/python-social-auth/social-app-django/pull/566 and fix released in 5.4.1.
Workarounds
An immediate workaround would be to change collation of the affected field:
ALTER TABLE `social_auth_association` MODIFY `uid` varchar(255) COLLATE `utf8_bin`;
References
This issue was discovered by folks at https://opencraft.com/.
Package
pip social-auth-app-django (pip)
Affected versions
< 5.4.1
Patched versions
5.4.1
Description
Impact
Due to default case-insensitive collation in MySQL or MariaDB databases, third-party authentication user IDs are not case-sensitive and could cause different IDs to match.
Patches
This issue has been addressed by python-social-auth/social-app-django#566 and fix released in 5.4.1.
Workarounds
An immediate workaround would be to change collation of the affected field:
ALTER TABLE `social_auth_association` MODIFY `uid` varchar(255) COLLATE `utf8_bin`;
References
This issue was discovered by folks at https://opencraft.com/.
References
- GHSA-2gr8-3wc7-xhj3
- python-social-auth/social-app-django#566
- python-social-auth/social-app-django@31c3e0c
nijel published to python-social-auth/social-app-django
Apr 24, 2024
Published to the GitHub Advisory Database
Apr 24, 2024
Reviewed
Apr 24, 2024
Last updated
Apr 24, 2024
Related news
Red Hat Security Advisory 2024-6428-03 - An update is now available for Red Hat Ansible Automation Platform 2.4. Issues addressed include denial of service, memory exhaustion, remote SQL injection, and traversal vulnerabilities.
Red Hat Security Advisory 2024-3781-03 - An update is now available for Red Hat Ansible Automation Platform 2.4. Issues addressed include HTTP request smuggling, buffer overflow, code execution, cross site scripting, denial of service, memory exhaustion, null pointer, and password leak vulnerabilities.