Django Releases Security Updates to Address Critical Flaw (CVE-2024-42005, CVSS 9.8)
The Django team has issued security updates for Django 5.0.8 and 4.2.15 to address multiple vulnerabilities, including potential denial-of-service (DoS) attacks and a critical SQL injection vulnerability. All Django users are strongly urged to upgrade to the patched versions as soon as possible.
Django is a high-level Python web framework that encourages rapid development and clean, pragmatic design. It is widely used for building secure and scalable web applications.
Vulnerability Details:
-
CVE-2024-41989 (CVSS 7.5): This vulnerability affects the floatformat template filter, which can consume excessive memory when processing specific numeric inputs in scientific notation.
-
CVE-2024-41990 (CVSS 7.5): The urlize() and urlizetrunc() template filters are susceptible to DoS attacks through large inputs with a particular character sequence.
-
CVE-2024-41991 (CVSS 7.5): The urlize and urlizetrunc template filters, along with the AdminURLFieldWidget widget, can be exploited for DoS attacks using inputs with a significant number of Unicode characters.
-
CVE-2024-42005 (CVSS 9.8): This critical vulnerability affects QuerySet.values() and values_list() methods on models with a JSONField. It allows for SQL injection attacks through crafted JSON object keys, potentially leading to unauthorized data access and manipulation.
Affected Versions:
The vulnerabilities impact the following Django versions:
- Django main branch
- Django 5.1 (release candidate status)
- Django 5.0
- Django 4.2
Resolution:
Patches to address these security issues have been applied to the main, 5.1, 5.0, and 4.2 branches of Django. The following releases have been issued:
Recommendations:
All Django users must update their installations to the latest patched versions immediately. Upgrading to Django 5.0.8 or 4.2.15 will mitigate the risks associated with these vulnerabilities and ensure the security and integrity of Django-based applications.
