—

PYSEC-2024-70

Details

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / django

Introduced in: 5.0 Fixed in: 5.0.8

Fix pip install --upgrade 'django>=4.2.15'

References

https://docs.djangoproject.com/en/dev/releases/security/ [WEB]
https://groups.google.com/forum/#%21forum/django-announce [WEB]
https://www.djangoproject.com/weblog/2024/aug/06/security-releases/ [ARTICLE]
https://github.com/advisories/GHSA-pv4p-cwwg-4rph [ADVISORY]