CVE-2024-53908 — SQL Injection in Django

CWE-89 — SQL Injection11 documents8 sources

Severity

9.8CRITICALNVD

OSV7.5

EPSS

0.7%

top 28.25%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Djangoproject Django

Timeline

PublishedDec 6

Latest updateFeb 7

Description

An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Direct usage of the django.db.models.fields.json.HasKey lookup, when an Oracle database is used, is subject to SQL injection if untrusted data is used as an lhs value. (Applications that use the jsonfield.has_key lookup via __ are unaffected.)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶NVDdjangoproject/django4.2 — 4.2.17+2

▶PyPIdjangoproject/django5.0.0 — 5.0.10+5

Patches

Patch: docs.djangoproject.com ↗

🔴Vulnerability Details

GHSA

Django SQL injection in HasKey(lhs, rhs) on Oracle↗2024-12-06

▶

OSV

Django SQL injection in HasKey(lhs, rhs) on Oracle↗2024-12-06

▶

CVEList

CVE-2024-53908: An issue was discovered in Django 5↗2024-12-06

▶

OSV

CVE-2024-53908: An issue was discovered in Django 5↗2024-12-06

▶

OSV

python-django vulnerabilities↗2024-12-04

▶

📋Vendor Advisories

Red Hat

django: Potential SQL injection in HasKey(lhs, rhs) on Oracle↗2024-12-04

▶

Ubuntu

Django vulnerabilities↗2024-12-04

▶

Debian

CVE-2024-53908: python-django - An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 b...↗2024

▶

💬Community

HackerOne

CVE-2024-53908: Django Potential SQL injection in `HasKey(lhs, rhs)` on Oracle↗2025-02-07

▶