SQL Injection Vulnerability in Django Products by Django Software Foundation
CVE-2024-53908

Currently unrated

Key Information:

Vendor: Django Software Foundation
Status: Django
Vendor: CVE Published:; 6 December 2024

What is CVE-2024-53908?

A vulnerability has been identified in Django versions 5.1 prior to 5.1.4, 5.0 prior to 5.0.10, and 4.2 prior to 4.2.17. This flaw allows for potential SQL injection attacks when the django.db.models.fields.json.HasKey lookup is utilized with untrusted data as a left-hand side (lhs) value, particularly in applications that utilize an Oracle database. Importantly, applications utilizing the jsonfield.has_key lookup through double underscore (__) syntax are not affected by this issue.

References

https://docs.djangoproject.com/en/dev/releases/security/

https://groups.google.com/g/django-announce

https://www.openwall.com/lists/oss-security/2024/12/04/3

Timeline

Vulnerability published
Dec 6, 2024
Vulnerability Reserved
Nov 24, 2024