Django Releases Patches for CVE-2024-53907 and CVE-2024-53908 to Mitigate DoS and SQLi Threats
The Django team has recently announced the release of Django 5.1.4, Django 5.0.10, and Django 4.2.17 to address two security vulnerabilities. All users are strongly encouraged to upgrade their Django installations as soon as possible.
CVE-2024-53907: Potential Denial-of-Service Attack
The first vulnerability, identified as CVE-2024-53907, involves a potential denial-of-service (DoS) vulnerability in the django.utils.html.strip_tags() method and striptags template filter. According to the advisory, “certain inputs containing large sequences of nested incomplete HTML entities” could trigger this vulnerability. This issue has been classified as having “moderate” severity.
CVE-2024-53908: Potential SQL Injection Vulnerability
The second, and more serious vulnerability, designated as CVE-2024-53908, is a potential SQL injection vulnerability affecting the django.db.models.fields.json.HasKey lookup on Oracle databases. The advisory warns that “direct usage of the django.db.models.fields.json.HasKey lookup on Oracle is subject to SQL injection if untrusted data is used as a lhs value.” However, the team clarifies that “applications that use the jsonfield.has_key lookup through the __ syntax are unaffected.” This vulnerability has been assigned a “high” severity rating.
Affected Versions and Resolution
The vulnerabilities impact the following supported Django versions:
- Django main
- Django 5.1
- Django 5.0
- Django 4.2
Patches to address both CVE-2024-53907 and CVE-2024-53908 have been applied to the main, 5.1, 5.0, and 4.2 branches. Users can obtain the patches from the respective changesets provided in the official security advisory.
The Django team urges all users to prioritize updating their Django installations to the latest secure versions to mitigate the risk posed by these vulnerabilities.
