PT-2024-9187 · Django+6 · Django+6

Seokchan Yoon

·

Published

2024-12-04

·

Updated

2026-01-03

·

CVE-2024-53908

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions: Django versions 4.2 through 4.2.17 Django versions 5.0 through 5.0.10 Django versions 5.1 through 5.1.4
Description: An issue was discovered in Django when using an Oracle database. Direct usage of the django.db.models.fields.json.HasKey lookup is subject to SQL injection if untrusted data is used as an lhs value. This issue can be exploited by a remote attacker to execute arbitrary SQL code by sending a specially crafted request.
Recommendations: For Django versions 4.2 through 4.2.17, upgrade to version 4.2.17 or later. For Django versions 5.0 through 5.0.10, upgrade to version 5.0.10 or later. For Django versions 5.1 through 5.1.4, upgrade to version 5.1.4 or later. As a temporary workaround, consider avoiding the use of the django.db.models.fields.json.HasKey lookup with untrusted data until a patch is applied.

Fix

SQL injection

Weakness Enumeration

CWE-89

Related Identifiers

ALT-PU-2024-17274
ALT-PU-2025-10176
BDU:2024-10874
BIT-DJANGO-2024-53908
CVE-2024-53908
GHSA-M9G8-FXXM-XG86
MGASA-2025-0039
OESA-2024-2539
OESA-2024-2540
OESA-2024-2541
OESA-2024-2543
OPENSUSE-SU-2024:14565-1
OPENSUSE-SU-2024:14568-1
OPENSUSE-SU-2024_4285-1
OPENSUSE-SU-2026:10005-1
PYSEC-2024-157
RHSA-2025:0340
RHSA-2025:0721
SUSE-SU-2024:4285-1
USN-7136-1

Affected Products

Alt Linux
Debian
Django
Linuxmint
Red Os
Suse
Ubuntu