About the Vulnerability

Introduction

Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design. Built by experienced developers, it solves most of the problems of Web development, allowing you to focus on writing your application without having to reinvent the wheel. It is free and open source.

Summary

On December 6, 2024, Sangfor FarSight Labs received notification that a Django component contains information of SQL Injection Vulnerability(CVE-2024-53908), classified as high in threat level.

When using Oracle as the backend database, there exists an SQL injection vulnerability in the Django framework. Through django.db.models.fields.json.HasKey, attackers can inject malicious statements as the lhs value into the database, leading to data leakage and server compromise.

Affected Versions

Django 5.1 < 5.1.4

Django 5.0 < 5.0.10

Django 4.2 < 4.2.17

Solutions

Remediation Solutions

Check the System Version

Enter this command on the control console to check the system version:

django-admin --version

Official Solution

Secure versions:

Zabbix 6.0.32rcl

Zabbix 6.4.17rcl

Zabbix 7.0.1rcl

The latest versions have been officially released to fix the vulnerability. Users using Oracle as backend database are recommended to update the version of Django to the secure versions and versions above.

Download link: https://www.djangoproject.com/download/

Timeline

On December 6, 2024, Sangfor FarSight Labs received notification of Django Oracle Database SQL Injection Vulnerability.

On December 6, 2024, Sangfor FarSight Labs released a vulnerability alert.

References

https://www.djangoproject.com/weblog/2024/dec/04/security-releases/

Listen To This Post

Search

Get in Touch

Get in Touch with Sangfor Team for Business Inquiry

Related Articles

See Other Product