2329287 – (CVE-2024-53908) CVE-2024-53908 django: Potential SQL injection in HasKey(lhs, rhs) on Oracle

Bug 2329287 (CVE-2024-53908) - CVE-2024-53908 django: Potential SQL injection in HasKey(lhs, rhs) on Oracle

Summary: CVE-2024-53908 django: Potential SQL injection in HasKey(lhs, rhs) on Oracle

Keywords:
Status:	NEW
Alias:	CVE-2024-53908
Deadline:	2024-12-04
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2024-11-28 03:01 UTC by OSIDB Bzimport
Modified:	2025-05-15 08:28 UTC (History)
CC List:	30 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2024:11144	None	None	None	2024-12-16 20:25:05 UTC
Red Hat Product Errata	RHSA-2024:11146	None	None	None	2024-12-16 20:51:11 UTC
Red Hat Product Errata	RHSA-2025:0340	None	None	None	2025-01-15 16:51:05 UTC
Red Hat Product Errata	RHSA-2025:0721	None	None	None	2025-01-27 19:30:15 UTC

Description OSIDB Bzimport 2024-11-28 03:01:28 UTC

Direct usage of the django.db.models.fields.json.HasKey lookup on Oracle is
subject to SQL injection if untrusted data is used as a lhs value. Applications that use the   lookup through the __ syntax are unaffected.

Comment 1 errata-xmlrpc 2024-12-16 20:25:02 UTC

This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 8
  Red Hat Ansible Automation Platform 2.4 for RHEL 9

Via RHSA-2024:11144 https://access.redhat.com/errata/RHSA-2024:11144

Comment 2 errata-xmlrpc 2024-12-16 20:51:09 UTC

This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.5 for RHEL 8
  Red Hat Ansible Automation Platform 2.5 for RHEL 9

Via RHSA-2024:11146 https://access.redhat.com/errata/RHSA-2024:11146

Comment 3 errata-xmlrpc 2025-01-15 16:51:03 UTC

This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.5 for RHEL 9
  Red Hat Ansible Automation Platform 2.5 for RHEL 8

Via RHSA-2025:0340 https://access.redhat.com/errata/RHSA-2025:0340

Comment 4 errata-xmlrpc 2025-01-27 19:30:12 UTC

This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 9
  Red Hat Ansible Automation Platform 2.4 for RHEL 8

Via RHSA-2025:0721 https://access.redhat.com/errata/RHSA-2025:0721

Note You need to log in before you can comment on or make changes to this bug.

brking
caswilli
davidn
gtanzill
haoli
hkataria
jajackso
jcammara
jmitchel
jneedle
jtanner
jwong
kaycoth
kegrant
kholdawa
koliveir
kshier
lcouzens
mabashia
mskarbek
pbraun
security-response-team
shvarugh
simaishi
smcdonal
stcannon
teagle
tfister
thavo
yguenane