Cyber Security News

Django Security Update, Patch for DoS & SQL Injection Vulnerability

 The Django team has issued critical security updates for versions 5.1.4, 5.0.10, and 4.2.17.

These updates address two vulnerabilities: a potential denial-of-service (DoS) attack in the strip_tags() method and a high-severity SQL injection risk in Oracle databases.

All developers and system administrators using affected versions are strongly encouraged to update to the newly released versions to ensure the security of their applications.

CVE-2024-53907: Potential Denial-of-Service in strip_tags()

This vulnerability affects the django.utils.html.strip_tags() method and the striptags template filter, which are prone to a DoS attack.

The issue arises in scenarios where these methods handle inputs containing extensive sequences of nested, incomplete HTML entities.

Free Webinar on Best Practices for API vulnerability & Penetration Testing:  Free Registration

When such inputs are processed, the application can experience significant performance degradation.

This vulnerability was reported by jiangniao and has been classified as having moderate severity according to Django’s security policy. The affected versions include Django main, 5.1, 5.0, and 4.2.

CVE-2024-53908: Potential SQL Injection in HasKey(lhs, rhs) on Oracle

A second vulnerability was identified in the HasKey lookup, which is part of the django.db.models.fields.json module.

On Oracle databases, this lookup can be exploited for SQL injection if untrusted data is passed as the left-hand side (lhs) value. However, applications using the jsonfield.has_key lookup through the double-underscore (__) syntax remain unaffected.

This vulnerability has been classified as high severity by the Django security team and was reported by Seokchan Yoon. Like the previous issue, affected versions include Django main, 5.1, 5.0, and 4.2.

Affected Supported Versions

The table below details the versions impacted by these vulnerabilities and the corresponding patched versions available in this release:

VersionStatusPatched Version
Django mainAffectedPatched
Django 5.1Affected5.1.4
Django 5.0Affected5.0.10
Django 4.2Affected4.2.17

Resolution and Patches

The Django team has addressed these issues by releasing patches for the main development branch and older supported versions, specifically 5.1, 5.0, and 4.2.

The latest updates—Django 5.1.4, 5.0.10, and 4.2.17—are now available for download. The updates comprehensively resolve the vulnerabilities associated with both CVE-2024-53907 and CVE-2024-53908.

Users can access the patched releases through Django’s official website. The releases were signed with the PGP key belonging to Sarah Boyce (ID: 3955B19851EA96EF).

To mitigate these risks, Django users are advised to update their applications to the latest patched versions immediately.

Additionally, developers should review their codebases for the use of vulnerable methods or lookups, especially on Oracle databases.

Staying informed about future security releases through Django’s official channels is crucial to maintaining the security and stability of applications.

Analyse Real-World Malware & Phishing Attacks With ANY.RUN - Get up to 3 Free Licenses

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

Zimbra Collaboration GraphQL Flaw Lets Hackers Steal User Information

 A severe Cross-Site Request Forgery (CSRF) vulnerability in Zimbra Collaboration Suite (ZCS) versions 9.0 to…

7 minutes ago

Researchers Exploit OAuth Misconfigurations to Gain Unrestricted Access to Sensitive Data

A security researcher has uncovered a serious vulnerability resulting from incorrectly configured OAuth2 credentials in…

29 minutes ago

AWS Defaults Open Stealthy Attack Paths Enabling Privilege Escalation and Account Compromise

A recent investigation by security researchers has exposed critical vulnerabilities in the default IAM roles…

34 minutes ago

China-Linked Hackers Targeting Organizational Infrastructure and High-Value Clients

A leading U.S.-based cybersecurity firm, sophisticated cyber-espionage campaigns attributed to Chinese state-sponsored actors have come…

41 minutes ago

Docker Registry Vulnerability Lets macOS Users Access Any Registry Without Authorization

A recently discovered vulnerability in Docker Desktop for macOS is raising concerns in the developer and security…

2 hours ago

PowerDNS DNSdist Vulnerability Let Attackers Trigger Denial-of-Service

PowerDNS has issued an urgent security advisory for its DNSdist software, warning users of a…

2 hours ago