Divya
2024-12-06 04:08:00
gbhackers.com
The Django team has issued critical security updates for versions 5.1.4, 5.0.10, and 4.2.17.
These updates address two vulnerabilities: a potential denial-of-service (DoS) attack in the strip_tags() method and a high-severity SQL injection risk in Oracle databases.
All developers and system administrators using affected versions are strongly encouraged to update to the newly released versions to ensure the security of their applications.
CVE-2024-53907: Potential Denial-of-Service in strip_tags()
This vulnerability affects the django.utils.html.strip_tags() method and the striptags template filter, which are prone to a DoS attack.
The issue arises in scenarios where these methods handle inputs containing extensive sequences of nested, incomplete HTML entities.
Free Webinar on Best Practices for API vulnerability & Penetration Testing: Free Registration
When such inputs are processed, the application can experience significant performance degradation.
This vulnerability was reported by jiangniao and has been classified as having moderate severity according to Django’s security policy. The affected versions include Django main, 5.1, 5.0, and 4.2.
CVE-2024-53908: Potential SQL Injection in HasKey(lhs, rhs) on Oracle
A second vulnerability was identified in the HasKey lookup, which is part of the django.db.models.fields.json module.
On Oracle databases, this lookup can be exploited for SQL injection if untrusted data is passed as the left-hand side (lhs) value. However, applications using the jsonfield.has_key lookup through the double-underscore (__) syntax remain unaffected.
This vulnerability has been classified as high severity by the Django security team and was reported by Seokchan Yoon. Like the previous issue, affected versions include Django main, 5.1, 5.0, and 4.2.
Affected Supported Versions
The table below details the versions impacted by these vulnerabilities and the corresponding patched versions available in this release:
Version | Status | Patched Version |
Django main | Affected | Patched |
Django 5.1 | Affected | 5.1.4 |
Django 5.0 | Affected | 5.0.10 |
Django 4.2 | Affected | 4.2.17 |
Resolution and Patches
The Django team has addressed these issues by releasing patches for the main development branch and older supported versions, specifically 5.1, 5.0, and 4.2.
The latest updates—Django 5.1.4, 5.0.10, and 4.2.17—are now available for download. The updates comprehensively resolve the vulnerabilities associated with both CVE-2024-53907 and CVE-2024-53908.
Users can access the patched releases through Django’s official website. The releases were signed with the PGP key belonging to Sarah Boyce (ID: 3955B19851EA96EF).
To mitigate these risks, Django users are advised to update their applications to the latest patched versions immediately.
Additionally, developers should review their codebases for the use of vulnerable methods or lookups, especially on Oracle databases.
Staying informed about future security releases through Django’s official channels is crucial to maintaining the security and stability of applications.
Analyse Real-World Malware & Phishing Attacks With ANY.RUN - Get up to 3 Free Licenses
Keep your files stored safely and securely with the SanDisk 2TB Extreme Portable SSD. With over 69,505 ratings and an impressive 4.6 out of 5 stars, this product has been purchased over 8K+ times in the past month. At only $129.99, this Amazon’s Choice product is a must-have for secure file storage.
Help keep private content private with the included password protection featuring 256-bit AES hardware encryption. Order now for just $129.99 on Amazon!
Support Techcratic
If you find value in Techcratic’s insights and articles, consider supporting us with Bitcoin. Your support helps me, as a solo operator, continue delivering high-quality content while managing all the technical aspects, from server maintenance to blog writing, future updates, and improvements. Support Innovation! Thank you.
Bitcoin Address:
bc1qlszw7elx2qahjwvaryh0tkgg8y68enw30gpvge
Please verify this address before sending funds.
Bitcoin QR Code
Simply scan the QR code below to support Techcratic.
Please read the Privacy and Security Disclaimer on how Techcratic handles your support.
Disclaimer: As an Amazon Associate, Techcratic may earn from qualifying purchases.