Django SQL injection in HasKey(lhs, rhs) on Oracle

GHSA-m9g8-fxxm-xg86 · BIT-django-2024-53908 · CVE-2024-53908 · PYSEC-2024-157

Published Dec 6, 2024 · Modified Feb 4, 2026

Description

An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Direct usage of the django.db.models.fields.json.HasKey lookup, when an Oracle database is used, is subject to SQL injection if untrusted data is used as an lhs value. (Applications that use the jsonfield.has_key lookup via __ are unaffected.)

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-53908
WEB https://docs.djangoproject.com/en/dev/releases/security
PACKAGE https://github.com/django/django
WEB https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2024-157.yaml
WEB https://groups.google.com/g/django-announce
WEB https://www.djangoproject.com/weblog/2024/dec/04/security-releases
WEB https://www.openwall.com/lists/oss-security/2024/12/04/3

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes