Description
Improper Privilege Management Vulnerability
Description:
I recently came across a Dependabot alert on GitHub regarding an improper privilege management vulnerability in djangorestframework-simplejwt. I attempted to address this by upgrading to the latest version, only to discover that version 5.3.1 is the most recent release and it remains vulnerable.
The vulnerability allows a user to access web application resources even after their account has been disabled due to missing user validation checks via the for_user method.
Affected Versions:
- djangorestframework-simplejwt (pip) <= 5.3.1
Patched Version:
- None
Steps to Reproduce:
- Create a user account and log in.
- Disable the user account in the application.
- Attempt to access resources using the previously issued JWT token.
Expected Behavior:
The disabled user should not be able to access any resources.
Actual Behavior:
The disabled user can still access resources due to missing validation checks.
Possible Solution:
Implement validation checks in the for_user method to ensure that disabled users cannot access resources.
Reference
I was initially alerted to the issue by a dependency bot. Upon attempting to update the package, I discovered there was no updated version available on PyPI. I then checked the repository for recent updates, but none were available.
This issue is critical as it can lead to unauthorized access to resources by users who should no longer have access. Please prioritize this fix and release an updated version as soon as possible.