CVE-2024-53908
SQL injection vulnerability in django (PyPI)
What is CVE-2024-53908 About?
This vulnerability in Django allows for SQL injection when directly using `django.db.models.fields.json.HasKey` lookup with untrusted data as the left-hand side value on Oracle databases. It enables attackers to execute arbitrary SQL commands, posing a critical risk.
Affected Software
- django
- >5.1.0, <5.1.4
- >4.2, <4.2.17
- >5.0, <5.0.10
- >5.0.0, <5.0.10
- >5.1, <5.1.4
- >4.2.0, <4.2.17
Technical Details
An issue exists in Django versions 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Specifically, when the django.db.models.fields.json.HasKey lookup is used directly with an Oracle database, and untrusted data is supplied as the left-hand side (lhs) value, it becomes vulnerable to SQL injection. This allows an attacker to inject arbitrary SQL code into the database queries. It's important to note that applications using the jsonfield.has_key lookup indirectly via __ (double underscore syntax) are unaffected by this particular vulnerability.
What is the Impact of CVE-2024-53908?
Successful exploitation may allow attackers to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, deletion, or complete compromise of the database.
What is the Exploitability of CVE-2024-53908?
Exploitation requires an attacker to inject untrusted data into the left-hand side value of a django.db.models.fields.json.HasKey lookup in a Django application that uses an Oracle database. The complexity is medium, as it requires specific knowledge of the application's database interactions. Authentication and privilege requirements depend on whether the vulnerable lookup is exposed to authenticated or unauthenticated users. This is typically a remote attack if the web application is publicly accessible. A prerequisite is the use of an Oracle database with the specified Django versions. The risk is significantly higher in applications that accept user input and directly use it in database lookups without proper sanitization.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-53908?
About the Fix from Resolved Security
Available Upgrade Options
- django
- >4.2.0, <4.2.17 → Upgrade to 4.2.17
- django
- >5.0.0, <5.0.10 → Upgrade to 5.0.10
- django
- >5.1, <5.1.4 → Upgrade to 5.1.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://groups.google.com/g/django-announce
- https://groups.google.com/g/django-announce
- https://nvd.nist.gov/vuln/detail/CVE-2024-53908
- https://docs.djangoproject.com/en/dev/releases/security/
- https://github.com/django/django
- https://docs.djangoproject.com/en/dev/releases/security
- https://www.openwall.com/lists/oss-security/2024/12/04/3
- https://osv.dev/vulnerability/PYSEC-2024-157
- https://www.djangoproject.com/weblog/2024/dec/04/security-releases
- https://docs.djangoproject.com/en/dev/releases/security/
What are Similar Vulnerabilities to CVE-2024-53908?
Similar Vulnerabilities: CVE-2022-34265 , CVE-2021-44420 , CVE-2021-23334 , CVE-2020-7049 , CVE-2019-14234
