Django has issued a critical security update to address two vulnerabilities in its software. Versions 5.1.4, 5.0.10, and 4.2.17 are affected by a potential Denial-of-Service (DoS) vulnerability in the strip_tags() method and a high-severity SQL injection risk in Oracle databases. Both flaws can pose significant risks to applications, making it essential for developers and system administrators to implement the patches promptly.
The first vulnerability, identified as CVE-2024-53907, affects the django.utils.html.strip_tags() method and the striptags template filter. These components are vulnerable to a DoS attack when processing inputs with extensive sequences of nested or incomplete HTML entities. When exploited, this vulnerability can lead to performance degradation and slowdowns, potentially rendering the affected application unresponsive. It has been classified as moderate in severity.
The second vulnerability, CVE-2024-53908, is found in the HasKey lookup in the django.db.models.fields.json module. This issue is specific to Oracle databases and can lead to SQL injection if untrusted data is passed as the left-hand side (lhs) value. Applications using the jsonfield.has_key lookup through the double-underscore (__) syntax are unaffected. This vulnerability is rated as high severity due to its potential to allow attackers to manipulate the database and execute arbitrary SQL commands.
To mitigate these risks, Django has released patched versions of the affected software, including 5.1.4, 5.0.10, and 4.2.17. Users are strongly encouraged to update to these versions as soon as possible. Additionally, developers should review their codebases for vulnerable methods or lookups, particularly in applications using Oracle databases. Regularly staying updated with Django’s security releases is essential for maintaining the safety and stability of web applications.
Reference: