CVE-2024-53908

NameCVE-2024-53908
DescriptionAn issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Direct usage of the django.db.models.fields.json.HasKey lookup, when an Oracle database is used, is subject to SQL injection if untrusted data is used as an lhs value. (Applications that use the jsonfield.has_key lookup via __ are unaffected.)
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-django (PTS)bullseye2:2.2.28-1~deb11u2fixed
bullseye (security)2:2.2.28-1~deb11u3fixed
bookworm, bookworm (security)3:3.2.19-1+deb12u1vulnerable
sid, trixie3:4.2.17-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-djangosourcebullseye(not affected)
python-djangosource(unstable)3:4.2.17-1

Notes

[bullseye] - python-django <not-affected> (Vulnerable code introduce later)
https://www.djangoproject.com/weblog/2024/dec/04/security-releases/
Fixed by: https://github.com/django/django/commit/7376bcbf508883282ffcc0f0fac5cf0ed2d6cbc5 (4.2.17)
Search for package or bug name: Reporting problems