Cyber Security News

Django Security Update, Patch for DoS & SQL Injection Vulnerability

 The Django team has issued critical security updates for versions 5.1.4, 5.0.10, and 4.2.17.

These updates address two vulnerabilities: a potential denial-of-service (DoS) attack in the strip_tags() method and a high-severity SQL injection risk in Oracle databases.

All developers and system administrators using affected versions are strongly encouraged to update to the newly released versions to ensure the security of their applications.

CVE-2024-53907: Potential Denial-of-Service in strip_tags()

This vulnerability affects the django.utils.html.strip_tags() method and the striptags template filter, which are prone to a DoS attack.

The issue arises in scenarios where these methods handle inputs containing extensive sequences of nested, incomplete HTML entities.

Free Webinar on Best Practices for API vulnerability & Penetration Testing:  Free Registration

When such inputs are processed, the application can experience significant performance degradation.

This vulnerability was reported by jiangniao and has been classified as having moderate severity according to Django’s security policy. The affected versions include Django main, 5.1, 5.0, and 4.2.

CVE-2024-53908: Potential SQL Injection in HasKey(lhs, rhs) on Oracle

A second vulnerability was identified in the HasKey lookup, which is part of the django.db.models.fields.json module.

On Oracle databases, this lookup can be exploited for SQL injection if untrusted data is passed as the left-hand side (lhs) value. However, applications using the jsonfield.has_key lookup through the double-underscore (__) syntax remain unaffected.

This vulnerability has been classified as high severity by the Django security team and was reported by Seokchan Yoon. Like the previous issue, affected versions include Django main, 5.1, 5.0, and 4.2.

Affected Supported Versions

The table below details the versions impacted by these vulnerabilities and the corresponding patched versions available in this release:

VersionStatusPatched Version
Django mainAffectedPatched
Django 5.1Affected5.1.4
Django 5.0Affected5.0.10
Django 4.2Affected4.2.17

Resolution and Patches

The Django team has addressed these issues by releasing patches for the main development branch and older supported versions, specifically 5.1, 5.0, and 4.2.

The latest updates—Django 5.1.4, 5.0.10, and 4.2.17—are now available for download. The updates comprehensively resolve the vulnerabilities associated with both CVE-2024-53907 and CVE-2024-53908.

Users can access the patched releases through Django’s official website. The releases were signed with the PGP key belonging to Sarah Boyce (ID: 3955B19851EA96EF).

To mitigate these risks, Django users are advised to update their applications to the latest patched versions immediately.

Additionally, developers should review their codebases for the use of vulnerable methods or lookups, especially on Oracle databases.

Staying informed about future security releases through Django’s official channels is crucial to maintaining the security and stability of applications.

Analyse Real-World Malware & Phishing Attacks With ANY.RUN - Get up to 3 Free Licenses

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

OpenVPN Flaw Allows Attackers Crash Servers and Run Remote Code

OpenVPN, a widely-used open-source virtual private network (VPN) software, has recently patched a security vulnerability…

42 minutes ago

Apache Traffic Server Flaw Allows Request Smuggling Attacks

A critical vulnerability has been discovered in Apache Traffic Server (ATS), an open-source caching proxy…

47 minutes ago

Secure Ideas Achieves CREST Accreditation and CMMC Level 1 Compliance

Secure Ideas, a premier provider of penetration testing and security consulting services, proudly announces its…

13 hours ago

New Phishing Campaign Targets Investors to Steal Login Credentials

Symantec has recently identified a sophisticated phishing campaign targeting users of Monex Securities (マネックス証券), a…

13 hours ago

UAC-0219 Hackers Leverage WRECKSTEEL PowerShell Stealer to Extract Data from Computers

In a concerning development, CERT-UA, Ukraine's Computer Emergency Response Team, has reported a series of…

13 hours ago

Hunters International Linked to Hive Ransomware in Attacks on Windows, Linux, and ESXi Systems

Hunters International, a ransomware group suspected to be a rebrand of the infamous Hive ransomware,…

14 hours ago