ГлавнаяУязвимости → CVE-2024-42005
7.3высокая

CVE-2024-42005

→ есть в БДУ: BDU:2024-06269 (на русском)
Описание (на английском; русское — в БДУ выше)

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg.

Затрагиваемое ПО
Djangoproject Django
CVSS
Балл7.3 — высокая
ВекторCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Источники
https://docs.djangoproject.com/en/dev/releases/security/https://groups.google.com/forum/#%21forum/django-announcehttps://www.djangoproject.com/weblog/2024/aug/06/security-releases/https://security.netapp.com/advisory/ntap-20240905-0007/