CVE-2024-53908: 
Django vulnerability analysis and mitigation

A SQL injection vulnerability (CVE-2024-53908) was discovered in Django versions 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. The vulnerability affects the direct usage of django.db.models.fields.json.HasKey lookup when using an Oracle database, specifically when untrusted data is used as an lhs value. Applications using the jsonfield.haskey lookup via _ syntax are not affected (Django Security, OpenWall).

The vulnerability exists in the HasKey lookup functionality when used with Oracle databases. When untrusted data is used as an lhs (left-hand side) value in direct usage of django.db.models.fields.json.HasKey lookup, it can lead to SQL injection. The issue has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating the highest severity level (NVD).

If successfully exploited, this vulnerability could allow an attacker to perform SQL injection attacks against applications using Oracle databases with Django's HasKey lookup functionality. The high CVSS score indicates potential for complete compromise of system confidentiality, integrity, and availability through remote exploitation without requiring privileges or user interaction (CISA-ADP).

The Django team has released patches for all affected versions: Django 5.1.4, Django 5.0.10, and Django 4.2.17. Users are strongly encouraged to upgrade to these patched versions as soon as possible. For those unable to upgrade immediately, using the jsonfield.haskey lookup through the _ syntax instead of direct HasKey lookup provides a workaround as this usage pattern is unaffected by the vulnerability (Django Security).