CVE-2024-42005: 
Django vulnerability analysis and mitigation

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg. The vulnerability was discovered by Eyal Gabay of EyalSec and was disclosed on August 6, 2024 (Django Security).

The vulnerability affects the QuerySet.values() and values_list() methods specifically when used with models containing JSONField. The issue allows SQL injection attacks through column aliases when a crafted JSON object key is passed as an argument. The vulnerability has been assigned a CVSS v3.1 base score of 7.3 HIGH with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L, though CISA-ADP assessed it as CRITICAL with a score of 9.8 (NVD Database).

If exploited, this vulnerability could allow attackers to perform SQL injection attacks, potentially leading to unauthorized access to database contents, modification of data, or execution of malicious database commands. The vulnerability affects both confidentiality, integrity, and availability of the system (NVD Database).

The Django team has released security patches to address this vulnerability. Users are strongly encouraged to upgrade to Django versions 5.0.8 or 4.2.15, depending on their current version. These patches have been applied to Django's main, 5.1, 5.0, and 4.2 branches (Django Security).