Описание
An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Direct usage of the django.db.models.fields.json.HasKey lookup, when an Oracle database is used, is subject to SQL injection if untrusted data is used as an lhs value. (Applications that use the jsonfield.has_key lookup via __ are unaffected.)
A vulnerability was found in the Django Web Framework. The direct usage of django.db.models.fields.json.HasKey may be vulnerable to SQL injection if untrusted data is used to perform queries.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Ansible Automation Platform 1.2 | ansible-tower | Will not fix | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-24/ee-dellemc-openmanage-rhel8 | Not affected | ||
| Red Hat Discovery | discovery-server-container | Not affected | ||
| Red Hat Ansible Automation Platform 2.4 for RHEL 8 | ansible-automation-platform-24/aap-cloud-billing-rhel8 | Fixed | RHSA-2024:11144 | 16.12.2024 |
| Red Hat Ansible Automation Platform 2.4 for RHEL 8 | ansible-automation-platform-24/aap-cloud-billing-rhel8-operator | Fixed | RHSA-2024:11144 | 16.12.2024 |
| Red Hat Ansible Automation Platform 2.4 for RHEL 8 | ansible-automation-platform-24/aap-cloud-metrics-collector-rhel8 | Fixed | RHSA-2024:11144 | 16.12.2024 |
| Red Hat Ansible Automation Platform 2.4 for RHEL 8 | ansible-automation-platform-24/aap-cloud-ui-rhel8 | Fixed | RHSA-2024:11144 | 16.12.2024 |
| Red Hat Ansible Automation Platform 2.4 for RHEL 8 | ansible-automation-platform-24/aap-cloud-ui-rhel8-operator | Fixed | RHSA-2024:11144 | 16.12.2024 |
| Red Hat Ansible Automation Platform 2.4 for RHEL 8 | ansible-automation-platform-24/aap-must-gather-rhel8 | Fixed | RHSA-2024:11144 | 16.12.2024 |
| Red Hat Ansible Automation Platform 2.4 for RHEL 8 | ansible-automation-platform-24/ansible-builder-rhel8 | Fixed | RHSA-2024:11144 | 16.12.2024 |
Показывать по
Дополнительная информация
Статус:
EPSS
9.1 Critical
CVSS3
Связанные уязвимости
An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Direct usage of the django.db.models.fields.json.HasKey lookup, when an Oracle database is used, is subject to SQL injection if untrusted data is used as an lhs value. (Applications that use the jsonfield.has_key lookup via __ are unaffected.)
An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Direct usage of the django.db.models.fields.json.HasKey lookup, when an Oracle database is used, is subject to SQL injection if untrusted data is used as an lhs value. (Applications that use the jsonfield.has_key lookup via __ are unaffected.)
An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, ...
Django SQL injection in HasKey(lhs, rhs) on Oracle
Уязвимость класса django.db.models.fields.json.HasKey программной платформы для веб-приложений Django, позволяющая нарушителю выполнить произвольный SQL-код
EPSS
9.1 Critical
CVSS3