BIT-django-2024-53908

BIT-django-2024-53908 PUBLISHED CVSS 9.800000190734863 CRITICAL

An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Direct usage of the django.db.models.fields.json.HasKey lookup, when an Oracle database is used, is subject to SQL injection if untrusted data is used as an lhs value. (Applications that use the jsonfield.has_key lookup via __ are unaffected.)

Risk Scores

CVSS v3.1

9.800000190734863

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products

Vendor	Product	Versions
Bitnami	django	4.2.0, 5.0.0, 5.0.0

Timeline

Mar 10, 2025 CVE Published
Apr 3, 2025 CVE Updated

References

https://docs.djangoproject.com/en/dev/releases/security/ url
https://groups.google.com/g/django-announce url
https://www.openwall.com/lists/oss-security/2024/12/04/3 url
https://nvd.nist.gov/vuln/detail/CVE-2024-53908 url

Open in Interactive Console →