CVE-2024-22513 Affected Versions: django-rest-framework-simplejwt up to version 5.3.1 (latest version) Potential Misuse: - Improper JWT Token Generation for Inactive Users: If a programmer generates a JWT token for an inactive user using the class and method without proper user validation, this can lead to various security concerns. Impact: - Bypass of Account Deactivation: Attackers can use JWT tokens generated for inactive users to bypass account deactivation. - Authentication Bypass: Unauthenticated access to Django application resources. - Authorization Issues: Business Object Level Authorization (BOLA) and Business Function Level Authorization (BFLA) issues. - Information Disclosure: Access to sensitive information. Mitigation: - Use the provided Token Obtain Serializers and JWTAuthentication backend. - Ensure thorough validation of user activity before generating a token. Additional Information: - Potential security risks associated with the method if not used correctly. - Developers should follow the library's documentation to avoid exposing their projects to security vulnerabilities. - References for more information: - https://django-rest-framework-simplejwt.readthedocs.io/en/latest/simplejwt.html#rest_framework_simplejwt.tokens.AccessToken - https://django-rest-framework-simplejwt.readthedocs.io/en/latest/simplejwt.html#rest_framework_simplejwt.tokens.Token