Django-allauth 0.54.0 includes a security fix: Even when account enumeration prevention was turned on, it was possible for an attacker to infer whether or not a given account exists based upon the response time of an authentication attempt.

Affected versions of the django-allauth package are vulnerable to Open Redirect due to improper validation of the SAML RelayState parameter when IdP-initiated SSO is enabled. In the SAML login flow, django-allauth accepts any URL supplied in RelayState and uses it as the post-authentication redirect target, allowing untrusted external destinations to be processed without restriction when IdP-initiated SSO is turned on, which is disabled by default.

Affected versions of allauth are vulnerable to account enumeration through timing attacks (CWE-203). This vulnerability allows attackers to determine the existence of user accounts by measuring response times during email/password authentication attempts. The issue resides in the AuthenticationBackend._authenticate_by_email method, which did not mitigate timing discrepancies. Exploitation can be performed remotely with high feasibility. Users should update to the latest version of allauth to apply the implemented timing attack mitigations.

Affected versions of Django-allauth are vulnerable to CSRF and replay attacks in the SAML login flow. RelayStatewas used to keep track of whether or not the login flow was IdP or SP initiated. As RelayState is a separate field, not part of the SAMLResponse payload, it was not signed, causing the vulnerability.

In Django-allauth, a vulnerability allows attackers to inject arbitrary JavaScript into the login page when configuring the Facebook provider to use the `js_sdk` method, potentially compromising user sessions or stealing sensitive information.

Affected versions of the django-allauth package are vulnerable to Authorization Bypass due to the use of a mutable identifier (preferred_username) from third-party providers for authorization decisions. The authentication logic in django-allauth’s social account handling uses the preferred_username field from Okta and NetIQ OpenID Connect identity providers as the canonical user identifier, which may be changed by an attacker and is not stable enough to base authorization on; the code fails to validate that the identifier is immutable.

Affected versions of the django-allauth package are vulnerable to Insufficient Session Expiration due to access and refresh tokens remaining valid after the associated user account is deactivated. In django-allauth’s IdP OpenID Connect implementation, allauth/idp/oidc/internal/oauthlib/request_validator.py does not check instance.user.is_active in validate_bearer_token() and validate_refresh_token(), and allauth/idp/oidc/internal/oauthlib/device_codes.py previously returned token state without revalidating the user’s active status.

Redis 4.4.4 and 4.5.4 include a fix for CVE-2023-28859: Redis-py before 4.4.4 and 4.5.x before 4.5.4 leaves a connection open after canceling an async Redis command at an inopportune time, and can send response data to the client of an unrelated request. (This could, for example, happen for a non-pipeline operation.) NOTE: the solutions for CVE-2023-28859 address data leakage across AsyncIO connections in general.
https://github.com/advisories/GHSA-8fww-64cx-x8p5

Redis 4.4.4 and 4.5.4 include a fix for CVE-2023-28859: Redis-py before 4.4.4 and 4.5.x before 4.5.4 leaves a connection open after canceling an async Redis command at an inopportune time, and can send response data to the client of an unrelated request. (This could, for example, happen for a non-pipeline operation.) NOTE: the solutions for CVE-2023-28859 address data leakage across AsyncIO connections in general.
https://github.com/advisories/GHSA-8fww-64cx-x8p5

Redis 4.4.4 and 4.5.4 include a fix for CVE-2023-28859: Redis-py before 4.4.4 and 4.5.x before 4.5.4 leaves a connection open after canceling an async Redis command at an inopportune time, and can send response data to the client of an unrelated request. (This could, for example, happen for a non-pipeline operation.) NOTE: the solutions for CVE-2023-28859 address data leakage across AsyncIO connections in general.
https://github.com/advisories/GHSA-8fww-64cx-x8p5

Redis 4.4.4 and 4.5.4 include a fix for CVE-2023-28859: Redis-py before 4.4.4 and 4.5.x before 4.5.4 leaves a connection open after canceling an async Redis command at an inopportune time, and can send response data to the client of an unrelated request. (This could, for example, happen for a non-pipeline operation.) NOTE: the solutions for CVE-2023-28859 address data leakage across AsyncIO connections in general.
https://github.com/advisories/GHSA-8fww-64cx-x8p5

Redis 4.4.4 and 4.5.4 include a fix for CVE-2023-28859: Redis-py before 4.4.4 and 4.5.x before 4.5.4 leaves a connection open after canceling an async Redis command at an inopportune time, and can send response data to the client of an unrelated request. (This could, for example, happen for a non-pipeline operation.) NOTE: the solutions for CVE-2023-28859 address data leakage across AsyncIO connections in general.
https://github.com/advisories/GHSA-8fww-64cx-x8p5