Описание
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg.
Ссылки
- PatchVendor Advisory
- Not Applicable
- Vendor Advisory
Уязвимые конфигурации
Одно из
EPSS
7.3 High
CVSS3
9.8 Critical
CVSS3
Дефекты
Связанные уязвимости
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg.
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg.
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2. ...
Уязвимость методов QuerySet.values() и values_list() моделей JSONField программной платформы для веб-приложений Django, позволяющая нарушителю выполнить произвольный код
EPSS
7.3 High
CVSS3
9.8 Critical
CVSS3