CVE-2024-53908

Published

Last updated

NVD

https://nvd.nist.gov/vuln/detail/CVE-2024-53908

CGA ID

CGA-x7qq-7cr6-xfq4

Severity

9.8

Critical

CVSS V3

Summary

Django SQL injection in HasKey(lhs, rhs) on Oracle

Description

An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Direct usage of the django.db.models.fields.json.HasKey lookup, when an Oracle database is used, is subject to SQL injection if untrusted data is used as an lhs value. (Applications that use the jsonfield.has_key lookup via __ are unaffected.)

References

https://images.chainguard.dev/security/CGA-x7qq-7cr6-xfq4
https://github.com/advisories/GHSA-m9g8-fxxm-xg86
https://nvd.nist.gov/vuln/detail/CVE-2024-53908
https://docs.djangoproject.com/en/dev/releases/security
https://github.com/django/django
https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2024-157.yaml
https://groups.google.com/g/django-announce
https://www.djangoproject.com/weblog/2024/dec/04/security-releases
https://www.openwall.com/lists/oss-security/2024/12/04/3

Affected packages

Advisories are based on vulnerability information provided by Grype from Anchore. Learn how Chainguard creates security advisories.

CVE-2024-53908

Severity

Summary

Description

References

Affected packages

Product

Why Chainguard

Customers

Company

Resources