Описание
An issue was discovered in allauth-django before 65.13.0. Both Okta and NetIQ were using preferred_username as the identifier for third-party provider accounts. That value may be mutable and should therefore be avoided for authorization decisions. The providers are now using sub instead.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| django-allauth | fixed | 65.15.0-1 | package | |
| django-allauth | no-dsa | trixie | package | |
| django-allauth | no-dsa | bookworm | package | |
| django-allauth | postponed | bullseye | package |
Примечания
https://allauth.org/news/2025/10/django-allauth-65.13.0-released/
https://github.com/pennersr/django-allauth/commit/8feef46e0e07b25fc5594c8f268afa247ebc3412 (65.13.0)
Связанные уязвимости
An issue was discovered in allauth-django before 65.13.0. Both Okta and NetIQ were using preferred_username as the identifier for third-party provider accounts. That value may be mutable and should therefore be avoided for authorization decisions. The providers are now using sub instead.
An issue was discovered in allauth-django before 65.13.0. Both Okta and NetIQ were using preferred_username as the identifier for third-party provider accounts. That value may be mutable and should therefore be avoided for authorization decisions. The providers are now using sub instead.
django-allauth's Okta and NetIQ implementations used a mutable identifier for authorization decisions