CVE-2024-53908: SQL Injection Vulnerability in Django When Using Oracle Database

Software vulnerabilities can have significant impacts on users, businesses, and developers. Recently, an SQL injection vulnerability (CVE-2024-53908) has been discovered in Django 5.1 before 5.1.4, 5. before 5..10, and 4.2 before 4.2.17. Django is a popular, open-source web framework written in Python. This particular vulnerability affects applications using the Django database models with Oracle databases.

In this long-read post, we'll dissect the CVE-2024-53908 vulnerability, look at the code snippet causing the issue, and discuss the details of the exploit. We'll also provide links to original references where you can learn more about this vulnerability.

Vulnerability Overview

The problem lies in the direct usage of the django.db.models.fields.json.HasKey lookup. When an Oracle database is used, this lookup is subject to SQL injection if untrusted data is employed as an lhs (left-hand side) value. It's worth noting that applications using the jsonfield.has_key lookup through the double underscore syntax (__) are not affected.

Below is an example of how the code might look like when using the vulnerable Haskey lookup

from django.db import models
from django.db.models.fields.json import HasKey

class MyModel(models.Model):
    data = models.JSONField()

# Potential SQL Injection
untrusted_lhs_value = 'untrusted_input_here'
MyModel.objects.filter(data__has_key=untrusted_lhs_value)

Exploit Details

An attacker can exploit this vulnerability by creating a specially crafted input value as the left-hand side of the lookup. This malicious input can then be used to manipulate the SQL query and execute arbitrary SQL commands against the Oracle database. SQL injection is a dangerous attack, as it can lead to unauthorized data access, data tampering, or even data loss.

Mitigation

To fix this issue, the Django team has released security updates. Developers using Django should update their installations to the latest versions: Django 5.1.4, 5..10, or 4.2.17. The updates fix the SQL injection vulnerability by properly sanitizing the left-hand side value of the HasKey lookup.

You can find the detailed release notes for Django 5.1.4, 5..10, and 4.2.17 here

- Django 5.1.4 Release Notes
- Django 5..10 Release Notes
- Django 4.2.17 Release Notes

For future reference, it's always a good practice to validate or sanitize user inputs to prevent SQL injections or other similar attacks.

Conclusion

SQL injection vulnerabilities, such as the one described in this post (CVE-2024-53908), can pose serious threats to web applications and their users. It's crucial for developers to stay informed about potential vulnerabilities and take action to protect their applications by keeping their software up-to-date.

If you want to learn more about this vulnerability and how it was discovered, you can visit the following original references:
- Django Official Security Advisory
- CVE-2024-53908 in the CVE database

Timeline

Published on: 12/06/2024 12:15:18 UTC
Last modified on: 12/06/2024 17:15:12 UTC