BIT-django-2024-42005
SQL Injection vulnerability in django (PyPI)
What is BIT-django-2024-42005 About?
This is a SQL Injection vulnerability in Django's `QuerySet.values()` and `values_list()` methods when used on models with a JSONField. A crafted JSON object key as a `*arg` can lead to arbitrary SQL execution. Exploitation requires providing specific malicious input, making it relatively straightforward for an attacker.
Affected Software
- django
- >5.0, <5.0.8
- >4.2, <4.2.15
Technical Details
The vulnerability exists in Django's QuerySet.values() and values_list() methods. When these methods are called on models that include a JSONField, and a crafted JSON object key is passed as a *arg (an unpacked positional argument), it can lead to SQL injection. The Django ORM, in an attempt to handle the JSON field and construct the column aliases for the query, incorrectly processes the attacker-controlled JSON key. This allows the attacker to inject malicious SQL fragments directly into the generated SQL query, which is subsequently executed by the database. The specific mechanism involves the incorrect sanitization or escaping of the JSON key when it is used to form a part of the SQL query's SELECT clause, particularly in the alias generation.
What is the Impact of BIT-django-2024-42005?
Successful exploitation may allow attackers to execute arbitrary SQL commands on the underlying database, leading to data theft, data manipulation, or complete compromise of the database.
What is the Exploitability of BIT-django-2024-42005?
Exploitation is relatively straightforward for an authenticated user with the ability to interact with Django models using QuerySet.values() or values_list() in conjunction with JSONField. No specific privilege level beyond normal application usage is typically required for a successful SQL injection, but the ability to supply a crafted JSON object key is crucial. This is usually a remote vulnerability, relying on an attacker sending malicious input via a web request. The attacker must understand how the application uses these Django methods with JSONField and craft the *arg accordingly. The likelihood of exploitation increases if the application directly or indirectly reflects user input into values() or values_list() arguments that target JSONFields.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for BIT-django-2024-42005?
About the Fix from Resolved Security
Available Upgrade Options
- django
- >4.2, <4.2.15 → Upgrade to 4.2.15
- django
- >5.0, <5.0.8 → Upgrade to 5.0.8
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/django/django/commit/32ebcbf2e1fe3e5ba79a6554a167efce81f7422d
- https://www.djangoproject.com/weblog/2024/aug/06/security-releases/
- https://www.djangoproject.com/weblog/2024/aug/06/security-releases/
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2024-70.yaml
- https://docs.djangoproject.com/en/dev/releases/security/
- https://groups.google.com/forum/#%21forum/django-announce
- https://osv.dev/vulnerability/PYSEC-2024-70
- https://github.com/django/django
- https://snyk.io/vuln/SNYK-PYTHON-DJANGO-7642814
- https://nvd.nist.gov/vuln/detail/CVE-2024-42005
What are Similar Vulnerabilities to BIT-django-2024-42005?
Similar Vulnerabilities: CVE-2024-27329 , CVE-2023-46736 , CVE-2023-37599 , CVE-2023-37905 , CVE-2022-48766
