An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Direct usage of the django.db.models.fields.json.HasKey lookup, when an Oracle database is used, is subject to SQL injection if untrusted data is used as an lhs value. (Applications that use the jsonfield.has_key lookup via __ are unaffected.)
The vulnerability occurs when an application directly uses the `django.db.models.fields.json.HasKey` class and passes untrusted user data as the left-hand side (lhs) value, with Oracle as the database backend. In such a configuration, input data is not properly sanitized before being embedded in the SQL query, allowing an attacker to inject malicious SQL code. Applications using lookup through the standard `__` interface (e.g., `jsonfield__has_key`) are not vulnerable — the problem only affects direct use of the lookup class.
An attacker can read, modify, or delete data in an Oracle database, and in certain configurations potentially gain control over the database server or escalate privileges in the system.
Django should be updated to version 5.1.4, 5.0.10, or 4.2.17 (depending on the branch in use). Until an update is applied, it is recommended to avoid direct use of `django.db.models.fields.json.HasKey` with untrusted data as the left-hand side value and replace it with lookup through the `__` interface (e.g., `jsonfield__has_key`).
Django 5.1 before version 5.1.4, Django 5.0 before version 5.0.10, Django 4.2 before version 4.2.17 — only in installations using Oracle database.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HDjangoproject Django
APPDjangoproject4.2 – 4.2.17 (bez)5.0 – 5.0.10 (bez)5.1 – 5.1.4 (bez)
Related vulnerabilities
Django: brak walidacji uprawnień dodawania w GenericInlineModelAdmin
SQL injection w Django via argument _connector w QuerySet i Q()
In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation when...
An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database f...
An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotat...