CVE-2024-42005: Potential SQL injection in QuerySet.values() and values_list()

Disclosed: 2024-08-24 17:48:29 By eyalgabay To ibb

High

Vulnerability Details

Hi IBB :) I found SQL injection in django. you can see my cve (CVE-2024-42005) here: https://www.djangoproject.com/weblog/2024/aug/06/security-releases/ ## Impact QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg. NVD rated the vulnerability sevirity as 9.8. https://nvd.nist.gov/vuln/detail/CVE-2024-42005

Actions

View on HackerOne

Report Stats

Report ID: 2646493
State: Closed
Substate: resolved
Upvotes: 43

CVE-2024-42005: Potential SQL injection in QuerySet.values() and values_list()

Vulnerability Details

Actions

Report Stats

Share this report