CVE-2024-21543: 
Python vulnerability analysis and mitigation

CVE-2024-21543 affects versions of the djoser package before 2.3.0. The vulnerability was discovered and disclosed on November 9, 2024, and officially published on December 12, 2024. This security issue involves an Authentication Bypass vulnerability in the djoser REST implementation of Django authentication system (Snyk Advisory, NVD).

The vulnerability occurs when the authenticate() function fails, causing the system to fall back to querying the database directly. This fallback mechanism grants access to users with valid credentials, effectively bypassing custom authentication checks such as two-factor authentication, LDAP validations, or requirements from configured AUTHENTICATION_BACKENDS. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.1 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N (Snyk Advisory).

The vulnerability allows attackers to bypass critical authentication mechanisms including two-factor authentication, LDAP validations, and custom authentication backend requirements. This could lead to unauthorized access to user accounts and sensitive information, even when additional security measures are in place (Snyk Advisory).

The vulnerability has been fixed in djoser version 2.3.0. Users are strongly advised to upgrade to this version or higher to address the security issue. The fix involves changes to the authentication process to prevent bypassing of custom authentication checks (GitHub Release, Snyk Advisory).

The vulnerability was initially reported through GitHub issue #795 and addressed through pull request #819. The fix was implemented after thorough discussion and review by the project maintainers and community members. The change was considered significant enough to warrant a new minor version release (2.3.0) rather than a patch release (GitHub Issue, GitHub PR).