CVE-2024-53908
published 2024-12-06CVE-2024-53908: An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Direct usage of the django.db.models.fields.json.HasKey lookup…
PriorityP356critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.40%
69.0th percentile
An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Direct usage of the django.db.models.fields.json.HasKey lookup, when an Oracle database is used, is subject to SQL injection if untrusted data is used as an lhs value. (Applications that use the jsonfield.has_key lookup via __ are unaffected.)
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | python-django | < python-django 3:4.2.17-1 (forky) | python-django 3:4.2.17-1 (forky) |
| djangoproject | django | >= 4.2 < 4.2.17 | 4.2.17 |
| djangoproject | django | >= 4.2 < 4.2.17 | 4.2.17 |
| djangoproject | django | >= 4.2.0 < 4.2.17 | 4.2.17 |
| djangoproject | django | >= 5.0 < 5.0.10 | 5.0.10 |
| djangoproject | django | >= 5.0 < 5.0.10 | 5.0.10 |
| djangoproject | django | >= 5.0.0 < 5.0.10 | 5.0.10 |
| djangoproject | django | >= 5.1 < 5.1.4 | 5.1.4 |
| djangoproject | django | >= 5.1 < 5.1.4 | 5.1.4 |
| djangoproject | django | >= 5.1.0 < 5.1.4 | 5.1.4 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8LOW
vendor_redhat9.8CRITICAL
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
django: Potential SQL injection in HasKey(lhs, rhs) on Oracle
vendor_redhat·2024-12-04·CVSS 9.8
CVE-2024-53908 [CRITICAL] CWE-89 django: Potential SQL injection in HasKey(lhs, rhs) on Oracle
django: Potential SQL injection in HasKey(lhs, rhs) on Oracle
An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Direct usage of the django.db.models.fields.json.HasKey lookup, when an Oracle database is used, is subject to SQL injection if untrusted data is used as an lhs value. (Applications that use the jsonfield.has_key lookup via __ are unaffected.)
A vulnerability was found in the Django Web Framework. The direct usage of django.db.models.fields.json.HasKey may be vulnerable to SQL injection if untrusted data is used to perform queries.
Package: ansible-tower (Red Hat Ansible Automation Platform 1.2) - Will not fix
Package: ansible-automation-platform-24/ansible-dev-tools-rhel8 (Red Hat Ansible Automation Platform 2) - Affected
Package:
Ubuntu
Django vulnerability
vendor_ubuntu·2024-12-04·CVSS 7.5
CVE-2024-53907 [HIGH] Django vulnerability
Title: Django vulnerability
Summary: Several security issues were fixed in Django.
USN-7136-1 fixed a vulnerability in Django. This update provides
the corresponding update for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.
Original advisory details:
jiangniao discovered that Django incorrectly handled the API to strip
tags. A remote attacker could possibly use this issue to cause Django to
consume resources, leading to a denial of service. (CVE-2024-53907)
Seokchan Yoon discovered that Django incorrectly handled HasKey lookups
when using Oracle. A remote attacker could possibly use this issue to
inject arbitrary SQL code. This issue only affected Ubuntu 24.04 LTS and
Ubuntu 24.10. (CVE-2024-53908)
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
Django vulnerabilities
vendor_ubuntu·2024-12-04·CVSS 7.5
CVE-2024-53907 [HIGH] Django vulnerabilities
Title: Django vulnerabilities
Summary: Several security issues were fixed in Django.
jiangniao discovered that Django incorrectly handled the API to strip tags.
A remote attacker could possibly use this issue to cause Django to
consume resources, leading to a denial of service. (CVE-2024-53907)
Seokchan Yoon discovered that Django incorrectly handled HasKey lookups
when using Oracle. A remote attacker could possibly use this issue to
inject arbitrary SQL code. This issue only affected Ubuntu 24.04 LTS and
Ubuntu 24.10. (CVE-2024-53908)
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2024-53908: python-django - An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 b...
vendor_debian·2024·CVSS 9.8
CVE-2024-53908 [CRITICAL] CVE-2024-53908: python-django - An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 b...
An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Direct usage of the django.db.models.fields.json.HasKey lookup, when an Oracle database is used, is subject to SQL injection if untrusted data is used as an lhs value. (Applications that use the jsonfield.has_key lookup via __ are unaffected.)
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved (fixed in 3:4.2.17-1)
sid: resolved (fixed in 3:4.2.17-1)
trixie: resolved (fixed in 3:4.2.17-1)
GHSA
Django SQL injection in HasKey(lhs, rhs) on Oracle
ghsa·2024-12-06
CVE-2024-53908 [HIGH] CWE-89 Django SQL injection in HasKey(lhs, rhs) on Oracle
Django SQL injection in HasKey(lhs, rhs) on Oracle
An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Direct usage of the django.db.models.fields.json.HasKey lookup, when an Oracle database is used, is subject to SQL injection if untrusted data is used as an lhs value. (Applications that use the jsonfield.has_key lookup via __ are unaffected.)
OSV
Django SQL injection in HasKey(lhs, rhs) on Oracle
osv·2024-12-06
CVE-2024-53908 [HIGH] Django SQL injection in HasKey(lhs, rhs) on Oracle
Django SQL injection in HasKey(lhs, rhs) on Oracle
An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Direct usage of the django.db.models.fields.json.HasKey lookup, when an Oracle database is used, is subject to SQL injection if untrusted data is used as an lhs value. (Applications that use the jsonfield.has_key lookup via __ are unaffected.)
OSV
CVE-2024-53908: An issue was discovered in Django 5
osv·2024-12-06·CVSS 9.8
CVE-2024-53908 [CRITICAL] CVE-2024-53908: An issue was discovered in Django 5
An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Direct usage of the django.db.models.fields.json.HasKey lookup, when an Oracle database is used, is subject to SQL injection if untrusted data is used as an lhs value. (Applications that use the jsonfield.has_key lookup via __ are unaffected.)
OSV
python-django vulnerabilities
osv·2024-12-04·CVSS 7.5
CVE-2024-53907 [HIGH] python-django vulnerabilities
python-django vulnerabilities
jiangniao discovered that Django incorrectly handled the API to strip tags.
A remote attacker could possibly use this issue to cause Django to
consume resources, leading to a denial of service. (CVE-2024-53907)
Seokchan Yoon discovered that Django incorrectly handled HasKey lookups
when using Oracle. A remote attacker could possibly use this issue to
inject arbitrary SQL code. This issue only affected Ubuntu 24.04 LTS and
Ubuntu 24.10. (CVE-2024-53908)
OSV
python-django vulnerability
osv·2024-12-04·CVSS 7.5
CVE-2024-53907 [HIGH] python-django vulnerability
python-django vulnerability
USN-7136-1 fixed a vulnerability in Django. This update provides
the corresponding update for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.
Original advisory details:
jiangniao discovered that Django incorrectly handled the API to strip
tags. A remote attacker could possibly use this issue to cause Django to
consume resources, leading to a denial of service. (CVE-2024-53907)
Seokchan Yoon discovered that Django incorrectly handled HasKey lookups
when using Oracle. A remote attacker could possibly use this issue to
inject arbitrary SQL code. This issue only affected Ubuntu 24.04 LTS and
Ubuntu 24.10. (CVE-2024-53908)
No detection rules found.
No public exploits indexed.
2024-12-06
Published