BIT-django-2024-53908
SQL injection vulnerability in django (PyPI)
What is BIT-django-2024-53908 About?
This vulnerability involves a SQL injection flaw in Django's direct usage of the `django.db.models.fields.json.HasKey` lookup when connected to an Oracle database. If untrusted data is supplied as the left-hand side (lhs) value, an attacker can execute arbitrary SQL commands. This could lead to unauthorized data access, modification, or deletion, and is relatively easy to exploit given the specific conditions.
Affected Software
- django
- >5.0, <5.0.10
- >5.0.0, <5.0.10
- >5.1.0, <5.1.4
- >4.2, <4.2.17
- >4.2.0, <4.2.17
- >5.1, <5.1.4
Technical Details
The vulnerability occurs in Django versions 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Specifically, when using an Oracle database and directly employing the django.db.models.fields.json.HasKey lookup, the system fails to properly sanitize untrusted input provided for the lhs value. This means that if an attacker controls the data passed into this lookup, they can inject malicious SQL code directly into the database query. The issue does not affect applications using the jsonfield.has_key lookup through __, indicating the vulnerability is specific to the direct usage mechanism.
What is the Impact of BIT-django-2024-53908?
Successful exploitation may allow attackers to execute arbitrary SQL commands, potentially leading to unauthorized access, manipulation, or deletion of sensitive database information. This could compromise data integrity, confidentiality, and availability.
What is the Exploitability of BIT-django-2024-53908?
Exploitation requires specific conditions: the target application must be running a vulnerable version of Django, using an Oracle database, and directly employing the django.db.models.fields.json.HasKey lookup with untrusted user-supplied data for the lhs value. Authentication to the application would likely be required to trigger the vulnerable code path, but the specific privilege level is dependent on the application's implementation. Access would typically be remote, via a web interface or API that processes the user-controlled input. The primary risk factor is the application's failure to sanitize input before it's passed to the vulnerable lookup function.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for BIT-django-2024-53908?
Available Upgrade Options
- django
- >4.2.0, <4.2.17 → Upgrade to 4.2.17
- django
- >5.0.0, <5.0.10 → Upgrade to 5.0.10
- django
- >5.1, <5.1.4 → Upgrade to 5.1.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://docs.djangoproject.com/en/dev/releases/security
- https://groups.google.com/g/django-announce
- https://osv.dev/vulnerability/PYSEC-2024-157
- https://osv.dev/vulnerability/GHSA-m9g8-fxxm-xg86
- https://www.openwall.com/lists/oss-security/2024/12/04/3
- https://www.openwall.com/lists/oss-security/2024/12/04/3
- https://github.com/django/django
- https://www.djangoproject.com/weblog/2024/dec/04/security-releases
- https://docs.djangoproject.com/en/dev/releases/security/
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2024-157.yaml
What are Similar Vulnerabilities to BIT-django-2024-53908?
Similar Vulnerabilities: CVE-2023-30547 , CVE-2023-28318 , CVE-2022-23456 , CVE-2021-38075 , CVE-2020-13886
