The Django workforce has issued essential safety updates for variations 5.1.4, 5.0.10, and 4.2.17.
These updates handle two vulnerabilities: a possible denial-of-service (DoS) assault within the strip_tags() technique and a high-severity SQL injection threat in Oracle databases.
All builders and system directors utilizing affected variations are strongly inspired to replace to the newly launched variations to make sure the safety of their purposes.
CVE-2024-53907: Potential Denial-of-Service in strip_tags()
This vulnerability impacts the django.utils.html.strip_tags() technique and the striptags template filter, that are susceptible to a DoS assault.
The problem arises in eventualities the place these strategies deal with inputs containing intensive sequences of nested, incomplete HTML entities.
Free Webinar on Greatest Practices for API vulnerability & Penetration Testing: Free Registration
When such inputs are processed, the appliance can expertise vital efficiency degradation.
This vulnerability was reported by jiangniao and has been categorised as having reasonable severity in keeping with Django’s safety coverage. The affected variations embody Django essential, 5.1, 5.0, and 4.2.
CVE-2024-53908: Potential SQL Injection in HasKey(lhs, rhs) on Oracle
A second vulnerability was recognized within the HasKey lookup, which is a part of the django.db.fashions.fields.json module.
On Oracle databases, this lookup may be exploited for SQL injection if untrusted knowledge is handed because the left-hand facet (lhs) worth. Nevertheless, purposes utilizing the jsonfield.has_key lookup via the double-underscore (__) syntax stay unaffected.
This vulnerability has been categorised as excessive severity by the Django safety workforce and was reported by Seokchan Yoon. Just like the earlier situation, affected variations embody Django essential, 5.1, 5.0, and 4.2.
Affected Supported Variations
The desk beneath particulars the variations impacted by these vulnerabilities and the corresponding patched variations obtainable on this launch:
| Model | Standing | Patched Model |
| Django essential | Affected | Patched |
| Django 5.1 | Affected | 5.1.4 |
| Django 5.0 | Affected | 5.0.10 |
| Django 4.2 | Affected | 4.2.17 |
Decision and Patches
The Django workforce has addressed these points by releasing patches for the principle growth department and older supported variations, particularly 5.1, 5.0, and 4.2.
The most recent updates—Django 5.1.4, 5.0.10, and 4.2.17—at the moment are obtainable for obtain. The updates comprehensively resolve the vulnerabilities related to each CVE-2024-53907 and CVE-2024-53908.
Customers can entry the patched releases via Django’s official web site. The releases had been signed with the PGP key belonging to Sarah Boyce (ID: 3955B19851EA96EF).
To mitigate these dangers, Django customers are suggested to replace their purposes to the most recent patched variations instantly.
Moreover, builders ought to overview their codebases for the usage of weak strategies or lookups, particularly on Oracle databases.
Staying knowledgeable about future safety releases via Django’s official channels is essential to sustaining the safety and stability of purposes.
Analyse Actual-World Malware & Phishing Assaults With ANY.RUN - Stand up to three Free Licenses