DEBIAN-CVE-2024-42005

DEBIAN-CVE-2024-42005 PUBLISHED CVSS 7.300000190734863 HIGH

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg.

Risk Scores

CVSS v3.1

7.300000190734863

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Affected Products

Vendor	Product	Versions
Debian:12	python-django	3:3.2.20-1.1, 3:3.2.21-1, 0
Debian:13	python-django	0, 0
Debian:14	python-django	0, 0
Debian:11	python-django	2.2.28-1, 2.2.28-1, 2.2.28-1

Timeline

Aug 7, 2024 CVE Published
Apr 28, 2026 CVE Updated

References

https://security-tracker.debian.org/tracker/CVE-2024-42005 advisory

Open in Interactive Console →