Описание
An issue was discovered in allauth-django before 65.13.0. Both Okta and NetIQ were using preferred_username as the identifier for third-party provider accounts. That value may be mutable and should therefore be avoided for authorization decisions. The providers are now using sub instead.
| Релиз | Статус | Примечание |
|---|---|---|
| devel | needs-triage | |
| esm-apps/bionic | needs-triage | |
| esm-apps/focal | needs-triage | |
| esm-apps/jammy | needs-triage | |
| esm-apps/noble | needs-triage | |
| jammy | needs-triage | |
| noble | needs-triage | |
| plucky | needs-triage | |
| questing | needs-triage | |
| upstream | needs-triage |
Показывать по
5.4 Medium
CVSS3
Связанные уязвимости
An issue was discovered in allauth-django before 65.13.0. Both Okta and NetIQ were using preferred_username as the identifier for third-party provider accounts. That value may be mutable and should therefore be avoided for authorization decisions. The providers are now using sub instead.
An issue was discovered in allauth-django before 65.13.0. Both Okta an ...
django-allauth's Okta and NetIQ implementations used a mutable identifier for authorization decisions
5.4 Medium
CVSS3