Homepage
About Snyk

Authentication Bypass Affecting drf-jwt package, versions [1.15.0,1.15.1)

0.0
medium

Snyk CVSS

    Attack Complexity Low

    Threat Intelligence

    EPSS 0.16% (52nd percentile)
Expand this section
NVD
9.1 critical

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PYTHON-DRFJWT-560361
  • published 15 Mar 2020
  • disclosed 15 Mar 2020
  • credit Unknown
Report a new vulnerability Found a mistake?

Introduced: 15 Mar 2020

CVE-2020-10594 Open this link in a new tab
CWE-289 Open this link in a new tab

How to fix?

Upgrade drf-jwt to version 1.15.1 or higher.

Overview

drf-jwt is a JSON Web Token Authentication support package for Django REST Framework. NOTE: drf-jwt is a fork of jpadilla/django-rest-framework-jwt, which is unmaintained.

Affected versions of this package are vulnerable to Authentication Bypass. It allows attackers with access to a notionally invalidated token to obtain a new, working token via the refresh endpoint, because the blacklist protection mechanism is incompatible with the token-refresh feature.