CVE-2024-53908
Publication date 4 December 2024
Last updated 11 December 2024
Ubuntu priority
An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Direct usage of the django.db.models.fields.json.HasKey lookup, when an Oracle database is used, is subject to SQL injection if untrusted data is used as an lhs value. (Applications that use the jsonfield.has_key lookup via __ are unaffected.)
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| python-django | 24.10 oracular |
Fixed 3:4.2.15-1ubuntu1.1
|
| 24.04 LTS noble |
Fixed 3:4.2.11-1ubuntu1.4
|
|
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty |
Not affected
|
Notes
mdeslaur
There is no JSONField model field in focal and earlier. Lookup expressions were introduced here: https://github.com/django/django/commit/f42ccdd835e5b3f0914b5e6f87621c648136ea36 so jammy doesn't appear to be affected.
References
Related Ubuntu Security Notices (USN)
- USN-7136-1
- Django vulnerabilities
- 4 December 2024