Описание
Python Social Auth is a social authentication/registration mechanism. In versions prior to 5.6.0, upon authentication, the user could be associated by e-mail even if the associate_by_email pipeline was not included. This could lead to account compromise when a third-party authentication service does not validate provided e-mail addresses or doesn't require unique e-mail addresses. Version 5.6.0 contains a patch. As a workaround, review the authentication service policy on e-mail addresses; many will not allow exploiting this vulnerability.
A flaw was found in Python Social Auth, a social authentication and registration framework. During authentication, a user account could be incorrectly associated by e-mail even when the associate_by_email pipeline was not explicitly enabled. This behavior could allow account takeover if a third-party authentication provider fails to properly validate or enforce uniqueness of e-mail addresses.
Отчет
This issue is rated Moderate rather than Important because exploitation depends on multiple external conditions and is limited in scope. The vulnerability does not introduce a direct code execution or privilege escalation vector within Python Social Auth itself; instead, it relies on insecure behavior from third-party identity providers that fail to validate or enforce unique e-mail addresses. In environments where reputable authentication services (e.g., Google, GitHub, Microsoft) are used—each enforcing verified and unique e-mails—the risk is effectively negligible. The flaw becomes exploitable only under misconfigured or untrusted providers, and even then, it merely enables potential account association or takeover rather than full compromise of the underlying application or system.
Меры по смягчению последствий
No mitigation is currently available that meets Red Hat Product Security’s standards for usability, deployment, applicability, or stability. To reduce the risk, administrators should restrict authentication to trusted identity providers that enforce verified and unique e-mail addresses, and ensure that the associate_by_email pipeline is disabled or tightly controlled. Limiting external providers and reviewing account-linking logic can effectively reduce the risk of unintended account association or takeover.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Ansible Automation Platform 2 | python3.11-social-auth-app-django | Fix deferred | ||
| Red Hat Ansible Automation Platform 2 | python3x-social-auth-app-django | Fix deferred | ||
| Red Hat Ansible Automation Platform 2 | python-social-auth-app-django | Fix deferred | ||
| Red Hat Satellite 6 | python-social-auth-app-django | Fix deferred |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
EPSS
4.8 Medium
CVSS3
Связанные уязвимости
Python Social Auth is a social authentication/registration mechanism. In versions prior to 5.6.0, upon authentication, the user could be associated by e-mail even if the `associate_by_email` pipeline was not included. This could lead to account compromise when a third-party authentication service does not validate provided e-mail addresses or doesn't require unique e-mail addresses. Version 5.6.0 contains a patch. As a workaround, review the authentication service policy on e-mail addresses; many will not allow exploiting this vulnerability.
Python Social Auth is a social authentication/registration mechanism. In versions prior to 5.6.0, upon authentication, the user could be associated by e-mail even if the `associate_by_email` pipeline was not included. This could lead to account compromise when a third-party authentication service does not validate provided e-mail addresses or doesn't require unique e-mail addresses. Version 5.6.0 contains a patch. As a workaround, review the authentication service policy on e-mail addresses; many will not allow exploiting this vulnerability.
Python Social Auth is a social authentication/registration mechanism. ...
EPSS
4.8 Medium
CVSS3