SQL Injection Vulnerability in Django 5.0 and 4.2 via QuerySet.values() and values_list() Methods
CVE-2024-42005
Key Information:
- Vendor
Djangoproject
- Status
- Vendor
- CVE Published:
- 7 August 2024
Badges
What is CVE-2024-42005?
The CVE-2024-42005 vulnerability is a critical SQL injection flaw found in Django 5.0 and 4.2, affecting the QuerySet.values() and values_list() methods. This vulnerability allows for SQL injection in column aliases via a crafted JSON object key as a passed *arg. It has been confirmed that the vulnerability has been exploited, and it poses a high potential impact with a CVSS score of 9.8. Furthermore, the exploitation of this vulnerability could lead to unauthorized access and control over affected systems, potentially resulting in data breaches and the spread of malware. The Djangoproject has released security updates for Django 5.0.8 and 4.2.15 to address this critical flaw. Vigilance in addressing this vulnerability is crucial to protect against advanced cyber threats.
News Articles
Cyber Security InformerCVE-2024-42005Top Cyber Security Informer Artificial Intelligence Cybersecurity Content for Fri.Aug 09, 2024
Best content around Artificial Intelligence Cybersecurity selected by the Cyber Security Informer community.
OP InnovateOP Innovate Blog Posts
Uncover the latest cybersecurity insights from OP Innovate. Stay up to date on the latest news on Application Pentesting and Incident Response.
malware.newsCVE-2024-42005Django Product Security Update Advisory (CVE-2024-42005) - Malware Analysis - Malware Analysis, News and Indicators
Overview Django has released an update to address a vulnerability in their products. Users of affected versions are advised to update to the latest version. Affected Products CVE-2024-42005 Django versions: 4.…
References
CVSS V3.1
Timeline
- 💰
Used in Ransomware
- 👾
Exploit known to exist
- 📰
First article discovered by malware.news
Vulnerability published
Vulnerability Reserved