Описание
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| python-django | fixed | 3:4.2.15-1 | package | |
| python-django | no-dsa | bookworm | package | |
| python-django | postponed | bullseye | package |
Примечания
https://www.djangoproject.com/weblog/2024/aug/06/security-releases/
https://github.com/django/django/commit/f4af67b9b41e0f4c117a8741da3abbd1c869ab28/ (4.2.15)
EPSS
Связанные уязвимости
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg.
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg.
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg.
Уязвимость методов QuerySet.values() и values_list() моделей JSONField программной платформы для веб-приложений Django, позволяющая нарушителю выполнить произвольный код
EPSS