About the Vulnerability
Introduction
Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design. Built by experienced developers, it solves most of the problems of Web development, allowing you to focus on writing your application without having to reinvent the wheel. It is free and open source.
Summary
On December 6, 2024, Sangfor FarSight Labs received notification that a Django component contains information of SQL Injection Vulnerability(CVE-2024-53908), classified as high in threat level.
When using Oracle as the backend database, there exists an SQL injection vulnerability in the Django framework. Through django.db.models.fields.json.HasKey, attackers can inject malicious statements as the lhs value into the database, leading to data leakage and server compromise.
Affected Versions
Django 5.1 < 5.1.4
Django 5.0 < 5.0.10
Django 4.2 < 4.2.17
Solutions
Remediation Solutions
Check the System Version
Enter this command on the control console to check the system version:
django-admin --version
Official Solution
Secure versions:
Zabbix 6.0.32rcl
Zabbix 6.4.17rcl
Zabbix 7.0.1rcl
The latest versions have been officially released to fix the vulnerability. Users using Oracle as backend database are recommended to update the version of Django to the secure versions and versions above.
Download link: https://www.djangoproject.com/download/
Timeline
On December 6, 2024, Sangfor FarSight Labs received notification of Django Oracle Database SQL Injection Vulnerability.
On December 6, 2024, Sangfor FarSight Labs released a vulnerability alert.
References
https://www.djangoproject.com/weblog/2024/dec/04/security-releases/