-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
PythonPython| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| social-auth-app-django | pip | < 5.6.0 | 5.6.0 |
Miggo AIRoot Cause AnalysisThe analysis of the security advisory and the associated patch commit 10c80e2ebabeccd4e9c84ad0e16e1db74148ed4c clearly points to the create_user method within the DjangoUserMixin class in social_django/storage.py as the source of the vulnerability. The vulnerability description states that an account could be associated by email even when not explicitly configured, leading to potential account compromise. The patch directly addresses this by changing the behavior of the create_user function. Previously, when a IntegrityError was caught (which happens when trying to create a user that already exists), the code would attempt to find and link to that existing user. This is the unsafe association. The fix removes this behavior and instead raises an AuthAlreadyAssociated exception, forcing the authentication process to stop. Therefore, any runtime profile during an exploit of this vulnerability would show the DjangoUserMixin.create_user function being executed.
DjangoUserMixin.create_usersocial_django/storage.py
Ongoing coverage of React2Shell