PYSEC-2024-157 — Vulnetix

PYSEC-2024-157 PUBLISHED CVSS 9.300000190734863 CRITICAL

An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Direct usage of the django.db.models.fields.json.HasKey lookup, when an Oracle database is used, is subject to SQL injection if untrusted data is used as an lhs value. (Applications that use the jsonfield.has_key lookup via __ are unaffected.)

Risk Scores

CVSS v4.0

9.300000190734863

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Affected Products

Vendor	Product	Versions
PyPI	django	5.1, 4.2.12, 4.2

Timeline

Dec 6, 2024 CVE Published
Mar 10, 2025 CVE Updated

References

https://docs.djangoproject.com/en/dev/releases/security/ url
https://groups.google.com/g/django-announce url
https://www.openwall.com/lists/oss-security/2024/12/04/3 url

Open in Interactive Console →