CVE-2024-53908

Name	CVE-2024-53908
Description	An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Direct usage of the django.db.models.fields.json.HasKey lookup, when an Oracle database is used, is subject to SQL injection if untrusted data is used as an lhs value. (Applications that use the jsonfield.has_key lookup via __ are unaffected.)
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
python-django (PTS)	jessie, jessie (lts)	1.7.11-1+deb8u17	fixed
	stretch (security)	1:1.10.7-2+deb9u17	fixed
	stretch (lts), stretch	1:1.10.7-2+deb9u23	fixed
	buster, buster (lts)	1:1.11.29-1+deb10u12	fixed
	buster (security)	1:1.11.29-1+deb10u11	fixed
	bullseye (security), bullseye	2:2.2.28-1~deb11u2	fixed
	bookworm (security), bookworm	3:3.2.19-1+deb12u1	vulnerable
	trixie	3:4.2.16-1	vulnerable
	sid	3:4.2.17-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version
python-django	source	jessie	(not affected)
python-django	source	stretch	(not affected)
python-django	source	buster	(not affected)
python-django	source	bullseye	(not affected)
python-django	source	(unstable)	3:4.2.17-1

Notes

[bullseye] - python-django <not-affected> (Vulnerable code introduce later)
https://www.djangoproject.com/weblog/2024/dec/04/security-releases/
Fixed by: https://github.com/django/django/commit/7376bcbf508883282ffcc0f0fac5cf0ed2d6cbc5 (4.2.17)
[buster] - python-django <not-affected> (Vulnerable code introduce later)
[stretch] - python-django <not-affected> (Vulnerable code introduce later)
[jessie] - python-django <not-affected> (Vulnerable code introduce later)