CRITICAL🇵🇱 Wersja polska

CVE-2024-53908

CVSS 9.8v3.1pub. 2024-12-06upd. 2025-06-09

An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Direct usage of the django.db.models.fields.json.HasKey lookup, when an Oracle database is used, is subject to SQL injection if untrusted data is used as an lhs value. (Applications that use the jsonfield.has_key lookup via __ are unaffected.)

🤖 AI Analysis
How it works

The vulnerability occurs when an application directly uses the `django.db.models.fields.json.HasKey` class and passes untrusted user data as the left-hand side (lhs) value, with Oracle as the database backend. In such a configuration, input data is not properly sanitized before being embedded in the SQL query, allowing an attacker to inject malicious SQL code. Applications using lookup through the standard `__` interface (e.g., `jsonfield__has_key`) are not vulnerable — the problem only affects direct use of the lookup class.

Impact

An attacker can read, modify, or delete data in an Oracle database, and in certain configurations potentially gain control over the database server or escalate privileges in the system.

Mitigation & patch

Django should be updated to version 5.1.4, 5.0.10, or 4.2.17 (depending on the branch in use). Until an update is applied, it is recommended to avoid direct use of `django.db.models.fields.json.HasKey` with untrusted data as the left-hand side value and replace it with lookup through the `__` interface (e.g., `jsonfield__has_key`).

Who is affected

Django 5.1 before version 5.1.4, Django 5.0 before version 5.0.10, Django 4.2 before version 4.2.17 — only in installations using Oracle database.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Djangoproject Django

    APP
    Djangoproject
    4.2 – 4.2.17 (bez)5.0 – 5.0.10 (bez)5.1 – 5.1.4 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
SQLi
CWE
References

Related vulnerabilities

CVE-2026-4277CRITICAL9.8PL ✓ten sam produkt

Django: brak walidacji uprawnień dodawania w GenericInlineModelAdmin

CVE-2025-64459CRITICAL9.1PL ✓ten sam produkt

SQL injection w Django via argument _connector w QuerySet i Q()

CVE-2023-31047CRITICAL9.8ten sam produkt

In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when...

CVE-2022-34265CRITICAL9.8ten sam produkt

An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database f...

CVE-2022-28346CRITICAL9.8ten sam produkt

An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotat...