CVE-2024-42005
published 2024-08-07CVE-2024-42005: An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QuerySet.values() and values_list() methods on models with a JSONField are subject to…
PriorityP345high7.3CVSS 3.1
AVNACLPRNUINSUCLILAL
EPSS
1.23%
65.1th percentile
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | python-django | < python-django 3:3.2.25-0+deb12u1 (bookworm) | python-django 3:3.2.25-0+deb12u1 (bookworm) |
| djangoproject | django | >= 4.2 < 4.2.15 | 4.2.15 |
| djangoproject | django | >= 4.2 < 4.2.15 | 4.2.15 |
| djangoproject | django | >= 5.0 < 5.0.8 | 5.0.8 |
| djangoproject | django | >= 5.0 < 5.0.8 | 5.0.8 |
CVSS provenance
nvdv3.17.3HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
osv7.5HIGH
vendor_ubuntu7.5HIGH
vendor_debian7.3HIGH
vendor_redhat7.3HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Django SQL injection vulnerability
osv·2024-08-07
CVE-2024-42005 [CRITICAL] Django SQL injection vulnerability
Django SQL injection vulnerability
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg.
GHSA
Django SQL injection vulnerability
ghsa·2024-08-07
CVE-2024-42005 [CRITICAL] CWE-89 Django SQL injection vulnerability
Django SQL injection vulnerability
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg.
OSV
CVE-2024-42005: An issue was discovered in Django 5
osv·2024-08-07·CVSS 7.3
CVE-2024-42005 [HIGH] CVE-2024-42005: An issue was discovered in Django 5
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg.
OSV
python-django vulnerabilities
osv·2024-08-06·CVSS 7.5
CVE-2024-41989 [HIGH] python-django vulnerabilities
python-django vulnerabilities
It was discovered that Django incorrectly handled certain strings in
floatformat function. An attacker could possibly use this issue to
cause a memory exhaustion. (CVE-2024-41989)
It was discovered that Django incorrectly handled very large inputs.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2024-41990)
It was discovered that Django in AdminURLFieldWidget incorrectly
handled certain inputs with a very large number of Unicode characters.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2024-41991)
It was discovered that Django incorrectly handled certain JSON objects.
An attacker could possibly use this issue to cause a potential SQL
injection. This issue only affected Ubuntu 22.04 LTS, and Ubuntu
Red Hat
python-django: Potential SQL injection in QuerySet.values() and values_list()
vendor_redhat·2024-08-06·CVSS 7.3
CVE-2024-42005 [HIGH] CWE-89 python-django: Potential SQL injection in QuerySet.values() and values_list()
python-django: Potential SQL injection in QuerySet.values() and values_list()
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg.
A flaw was found in Django. The QuerySet.values() and QuerySet.values_list() methods on models with a JSONField were subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg.
Statement: This vulnerability is considered of moderate severity rather than high or critical because it requires specific conditions to be exploitable. The potential for SQL injection exists only when QuerySet.values() or values_list() methods are used on models with a
Ubuntu
Django vulnerabilities
vendor_ubuntu·2024-08-06·CVSS 7.5
CVE-2024-41990 [HIGH] Django vulnerabilities
Title: Django vulnerabilities
Summary: Several security issues were fixed in Django.
It was discovered that Django incorrectly handled certain strings in
floatformat function. An attacker could possibly use this issue to
cause a memory exhaustion. (CVE-2024-41989)
It was discovered that Django incorrectly handled very large inputs.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2024-41990)
It was discovered that Django in AdminURLFieldWidget incorrectly
handled certain inputs with a very large number of Unicode characters.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2024-41991)
It was discovered that Django incorrectly handled certain JSON objects.
An attacker could possibly use this issue to cause a potential SQL
injectio
Debian
CVE-2024-42005: python-django - An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QueryS...
vendor_debian·2024·CVSS 7.3
CVE-2024-42005 [HIGH] CVE-2024-42005: python-django - An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QueryS...
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg.
Scope: local
bookworm: resolved (fixed in 3:3.2.25-0+deb12u1)
bullseye: resolved (fixed in 2:2.2.28-1~deb11u11)
forky: resolved (fixed in 3:4.2.15-1)
sid: resolved (fixed in 3:4.2.15-1)
trixie: resolved (fixed in 3:4.2.15-1)
No detection rules found.
No public exploits indexed.
HackerOne
CVE-2024-56374: Denial-of-service vulnerability in IPv6 validation
hackerone·2025-05-27·CVSS 7.3
CVE-2024-56374 [HIGH] CVE-2024-56374: Denial-of-service vulnerability in IPv6 validation
CVE-2024-56374: Denial-of-service vulnerability in IPv6 validation
Hi IBB Team, :)
I discovered a vulnerability in Django related to `IPv6` validation that could potentially lead to a denial-of-service attack. You can find the details of my report and the assigned (CVE-2024-42005) at the following links:
* https://www.djangoproject.com/weblog/2025/jan/14/security-releases/
* https://github.com/django/django/commit/ca2be7724e1244a4cb723de40a070f873c6e94bf#diff-dde021d7427efcb4de60b971a1dbcafb0aa3732f263572be835a311d8be20d96R10
## Impact
Lack of upper bound limit enforcement in strings passed when performing IPv6 validation could lead to a potential denial-of-service attack. The undocumented and private functions `clean_ipv6_address and is_valid_ipv6_address` were vulnerable, as was the
HackerOne
CVE-2024-42005: Potential SQL injection in QuerySet.values() and values_list()
hackerone·2024-08-24·CVSS 7.3
CVE-2024-42005 [HIGH] CVE-2024-42005: Potential SQL injection in QuerySet.values() and values_list()
CVE-2024-42005: Potential SQL injection in QuerySet.values() and values_list()
Hi IBB :)
I found SQL injection in django.
you can see my cve (CVE-2024-42005) here:
https://www.djangoproject.com/weblog/2024/aug/06/security-releases/
## Impact
QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg.
NVD rated the vulnerability sevirity as 9.8.
https://nvd.nist.gov/vuln/detail/CVE-2024-42005
###CVE-2024-42005: Potential SQL injection in QuerySet.values() and values_list()
QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg.
Thanks to Eyal Gabay of EyalSec for the rep
Bugzilla
CVE-2024-42005 python-django: Potential SQL injection in QuerySet.values() and values_list()
bugzilla·2024-08-02·CVSS 7.3
CVE-2024-42005 [HIGH] CVE-2024-42005 python-django: Potential SQL injection in QuerySet.values() and values_list()
CVE-2024-42005 python-django: Potential SQL injection in QuerySet.values() and values_list()
Description: QuerySet.values() and QuerySet.values_list() methods on models with a JSONField were subject to SQL injection in column aliases, via a crafted JSON object key as a passed *arg.
Affected versions
* Django main development branch
* Django 5.1 (currently at release candidate status)
* Django 5.0
* Django 4.2
Discussion:
This issue has been addressed in the following products:
Red Hat Ansible Automation Platform 2.4 for RHEL 9
Red Hat Ansible Automation Platform 2.4 for RHEL 8
Via RHSA-2024:6428 https://access.redhat.com/errata/RHSA-2024:6428
---
This issue has been addressed in the following products:
Red Hat Satellite 6.16 for RHEL 8
Red Hat Satellite 6.16 for RHEL 9
Via RHSA-
2024-08-07
Published