CVE-2024-32879

Aliases:GHSA-2gr8-3wc7-xhj3
Advisory lineage Upstream: 0 Downstream: 5
Deferred
Published: 24 Apr 2024, 19:42
Last modified:02 Aug 2024, 02:20

Vulnerability Summary

Overall Risk (default)
low
20/100
CVSS Score
4.9 MEDIUM
v3.1 (cve.org)
EPSS Score
0.26% LOW
0% probability +0.07%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

24 Apr 2024, 19:42
Published
Vulnerability first disclosed
02 Aug 2024, 02:20
Last Modified
Vulnerability information updated

Description

Python Social Auth is a social authentication/registration mechanism. Prior to version 5.4.1, due to default case-insensitive collation in MySQL or MariaDB databases, third-party authentication user IDs are not case-sensitive and could cause different IDs to match. This issue has been addressed by a fix released in version 5.4.1. An immediate workaround would be to change collation of the affected field.

CVSS Metrics

  • v3.1MEDIUMScore: 4.9CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N

EPSS Trends

Current EPSS score: 0.26% Percentile: 49%

Techniques & Countermeasures

  • CWE-178Improper Handling of Case Sensitivity

    The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results.

  • CWE-303Incorrect Implementation of Authentication Algorithm

    The requirements for the product dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect.

Affected Systems

  • PyPIsocial-auth-app-django

    < 5.4.1

  • python-social-authsocial-app-django

    < 5.4.1

References (5)