Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-53908

An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Direct usage of the django.db.models.fields.json.HasKey lookup, when an Oracle database is used, is subject to SQL injection if untrusted data is used as an lhs value. (Applications that use the jsonfield.has_key lookup via __ are unaffected.)

Published

2024-12-06T12:15:18.583

Last Modified

2025-06-09T19:51:17.797

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 9.8 (CRITICAL)

Weaknesses

Type: Secondary
CWE-89

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	djangoproject	django	< 4.2.17	Yes
Application	djangoproject	django	< 5.0.10	Yes
Application	djangoproject	django	< 5.1.4	Yes

References

https://docs.djangoproject.com/en/dev/releases/security/ Patch, Vendor Advisory ([email protected])
https://groups.google.com/g/django-announce Release Notes ([email protected])
https://www.openwall.com/lists/oss-security/2024/12/04/3 Mailing List, Third Party Advisory ([email protected])