Django Security Update, Patch for DoS & SQL Injection Vulnerability

 The Django team has issued critical security updates for versions 5.1.4, 5.0.10, and 4.2.17.

These updates address two vulnerabilities: a potential denial-of-service (DoS) attack in the strip_tags() method and a high-severity SQL injection risk in Oracle databases.

All developers and system administrators using affected versions are strongly encouraged to update to the newly released versions to ensure the security of their applications.

CVE-2024-53907: Potential Denial-of-Service in strip_tags()

This vulnerability affects the django.utils.html.strip_tags() method and the striptags template filter, which are prone to a DoS attack.

The issue arises in scenarios where these methods handle inputs containing extensive sequences of nested, incomplete HTML entities.

Free Webinar on Best Practices for API vulnerability & Penetration Testing:  Free Registration

When such inputs are processed, the application can experience significant performance degradation.

This vulnerability was reported by jiangniao and has been classified as having moderate severity according to Django’s security policy. The affected versions include Django main, 5.1, 5.0, and 4.2.

CVE-2024-53908: Potential SQL Injection in HasKey(lhs, rhs) on Oracle

A second vulnerability was identified in the HasKey lookup, which is part of the django.db.models.fields.json module.

On Oracle databases, this lookup can be exploited for SQL injection if untrusted data is passed as the left-hand side (lhs) value. However, applications using the jsonfield.has_key lookup through the double-underscore (__) syntax remain unaffected.

This vulnerability has been classified as high severity by the Django security team and was reported by Seokchan Yoon. Like the previous issue, affected versions include Django main, 5.1, 5.0, and 4.2.

Affected Supported Versions

The table below details the versions impacted by these vulnerabilities and the corresponding patched versions available in this release:

Version	Status	Patched Version
Django main	Affected	Patched
Django 5.1	Affected	5.1.4
Django 5.0	Affected	5.0.10
Django 4.2	Affected	4.2.17

Resolution and Patches

The Django team has addressed these issues by releasing patches for the main development branch and older supported versions, specifically 5.1, 5.0, and 4.2.

The latest updates—Django 5.1.4, 5.0.10, and 4.2.17—are now available for download. The updates comprehensively resolve the vulnerabilities associated with both CVE-2024-53907 and CVE-2024-53908.

Users can access the patched releases through Django’s official website. The releases were signed with the PGP key belonging to Sarah Boyce (ID: 3955B19851EA96EF).

To mitigate these risks, Django users are advised to update their applications to the latest patched versions immediately.

Additionally, developers should review their codebases for the use of vulnerable methods or lookups, especially on Oracle databases.

Staying informed about future security releases through Django’s official channels is crucial to maintaining the security and stability of applications.

Analyse Real-World Malware & Phishing Attacks With ANY.RUN - Get up to 3 Free Licenses