CVE-2024-53908
Description
An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Direct usage of the django.db.models.fields.json.HasKey lookup, when an Oracle database is used, is subject to SQL injection if untrusted data is used as an lhs value. (Applications that use the jsonfield.has_key lookup via __ are unaffected.)
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Django's HasKey lookup on Oracle is vulnerable to SQL injection when untrusted lhs values are used, affecting versions before 5.1.4, 5.0.10, and 4.2.17.
Vulnerability
Description
CVE-2024-53908 is a SQL injection vulnerability in Django's django.db.models.fields.json.HasKey lookup when used with an Oracle database. The issue arises when untrusted data is passed as the left-hand side (lhs) value, allowing an attacker to inject arbitrary SQL. Applications using the jsonfield.has_key lookup via double underscores (__) are unaffected [3].
Exploitation
To exploit this vulnerability, an attacker must be able to supply untrusted input to the lhs of a HasKey lookup. This scenario typically occurs when user-controlled data is directly used in a database query without proper sanitization. The vulnerability is specific to Oracle databases, as the underlying SQL generation handles the lhs differently on that platform [4].
Impact
Successful exploitation allows an attacker to execute arbitrary SQL commands on the Oracle database, potentially leading to data leakage, modification, or deletion. The severity depends on the database permissions of the Django application [3].
Mitigation
The Django team has released patched versions: 5.1.4, 5.0.10, and 4.2.17. Users are strongly advised to upgrade immediately. No workarounds are available for Oracle databases, but the issue does not affect other database backends [4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
DjangoPyPI | >= 5.0.0, < 5.0.10 | 5.0.10 |
DjangoPyPI | >= 5.1.0, < 5.1.4 | 5.1.4 |
DjangoPyPI | >= 4.2.0, < 4.2.17 | 4.2.17 |
djangoPyPI | >= 5.1, < 5.1.4 | 5.1.4 |
djangoPyPI | >= 5.0, < 5.0.10 | 5.0.10 |
djangoPyPI | >= 4.2, < 4.2.17 | 4.2.17 |
Affected products
29- Range: >=4.2, <4.2.17 or >=5.0, <5.0.10 or >=5.1, <5.1.4
- osv-coords28 versionspkg:apk/chainguard/awxpkg:apk/chainguard/py3.10-djangopkg:apk/chainguard/py3.10-django-binpkg:apk/chainguard/py3.11-djangopkg:apk/chainguard/py3.11-django-binpkg:apk/chainguard/py3.12-djangopkg:apk/chainguard/py3.12-django-binpkg:apk/chainguard/py3.13-djangopkg:apk/chainguard/py3.13-django-binpkg:apk/chainguard/py3-djangopkg:apk/chainguard/py3-supported-djangopkg:apk/wolfi/py3.10-djangopkg:apk/wolfi/py3.10-django-binpkg:apk/wolfi/py3.11-djangopkg:apk/wolfi/py3.11-django-binpkg:apk/wolfi/py3.12-djangopkg:apk/wolfi/py3.12-django-binpkg:apk/wolfi/py3.13-djangopkg:apk/wolfi/py3.13-django-binpkg:apk/wolfi/py3-djangopkg:apk/wolfi/py3-supported-djangopkg:bitnami/djangopkg:pypi/djangopkg:rpm/opensuse/python-Django4&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/python-Django6&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/python-Django&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/python-Django&distro=openSUSE%20Tumbleweedpkg:rpm/suse/python-Django&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6
< 24.6.1-r2+ 27 more
- (no CPE)range: < 24.6.1-r2
- (no CPE)range: < 5.1.4-r0
- (no CPE)range: < 5.1.4-r0
- (no CPE)range: < 5.1.4-r0
- (no CPE)range: < 5.1.4-r0
- (no CPE)range: < 5.1.4-r0
- (no CPE)range: < 5.1.4-r0
- (no CPE)range: < 5.1.4-r0
- (no CPE)range: < 5.1.4-r0
- (no CPE)range: < 5.1.4-r0
- (no CPE)range: < 5.1.4-r0
- (no CPE)range: < 5.1.4-r0
- (no CPE)range: < 5.1.4-r0
- (no CPE)range: < 5.1.4-r0
- (no CPE)range: < 5.1.4-r0
- (no CPE)range: < 5.1.4-r0
- (no CPE)range: < 5.1.4-r0
- (no CPE)range: < 5.1.4-r0
- (no CPE)range: < 5.1.4-r0
- (no CPE)range: < 5.1.4-r0
- (no CPE)range: < 5.1.4-r0
- (no CPE)range: >= 4.2.0, < 4.2.17
- (no CPE)range: >= 5.0.0, < 5.0.10
- (no CPE)range: < 4.2.17-1.1
- (no CPE)range: < 6.0-1.1
- (no CPE)range: < 4.2.11-150600.3.12.1
- (no CPE)range: < 5.1.4-1.1
- (no CPE)range: < 4.2.11-150600.3.12.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- github.com/advisories/GHSA-m9g8-fxxm-xg86ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-53908ghsaADVISORY
- docs.djangoproject.com/en/dev/releases/securityghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2024-157.yamlghsaWEB
- groups.google.com/g/django-announceghsaWEB
- www.djangoproject.com/weblog/2024/dec/04/security-releasesghsaWEB
- www.openwall.com/lists/oss-security/2024/12/04/3ghsaWEB
- docs.djangoproject.com/en/dev/releases/security/mitre
News mentions
0No linked articles in our index yet.