PYSEC-2024-70 — Vulnetix

PYSEC-2024-70 PUBLISHED CVSS 9.300000190734863 CRITICAL

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg.

Risk Scores

CVSS v4.0

9.300000190734863

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Affected Products

Vendor	Product	Versions
PyPI	django	5.0, 4.2, 4.2

Timeline

Aug 7, 2024 CVE Published
Aug 8, 2024 CVE Updated

References

https://docs.djangoproject.com/en/dev/releases/security/ url
https://groups.google.com/forum/#%21forum/django-announce url
https://www.djangoproject.com/weblog/2024/aug/06/security-releases/ article

Open in Interactive Console →