###CVE-2024-53908: Potential SQL injection in HasKey(lhs, rhs) on Oracle Direct usage of the django.db.models.fields.json.HasKey lookup on Oracle is subject to SQL injection if untrusted data is used as a lhs value. Applications that use the jsonfield.has_key lookup through the __ syntax are unaffected. Thanks to Seokchan Yoon for the report. This issue has severity "high" according to the Django security policy.

Actions:

View on HackerOne

Reported by scyoon

Vulnerability Details

Technical details and impact analysis

SQL Injection

I've found a potential SQL Injection vulnerability and reported it to the Django team. You can find detailed information at the following link: - https://www.djangoproject.com/weblog/2024/dec/04/security-releases/ - https://nvd.nist.gov/vuln/detail/CVE-2024-53908 Direct usage of the `django.db.models.fields.json.HasKey` lookup on Oracle is subject to SQL injection if untrusted data is used as a lhs value. Applications that use the `jsonfield.has_key` lookup through the `__` syntax are unaffected. ## Impact This vulnerability could potentially allow an attacker to execute arbitrary SQL commands, leading to unauthorized access, data manipulation, or information disclosure. The issue affects the Django Framework, particularly when using the `HasKey` lookup on Oracle databases.

Related CVEs

Associated Common Vulnerabilities and Exposures

CVE-2024-53908 CRITICAL

An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Direct usage of the django.db.models.fields.json.HasKey lookup, when an Oracle database is used, is subject to SQL injection if untrusted data is used as an lhs value. (Applications that use the jsonfield.has_key lookup via __ …

Report Details

Additional information and metadata

State

Closed

Substate

Resolved

Submitted

Weakness

SQL Injection