CVE-2024-42005 in Django
Summary
by MITRE • 08/07/2024
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 11/06/2024
This vulnerability resides in the Django web framework's handling of JSONField data types within QuerySet operations, specifically affecting versions prior to 5.0.8 and 4.2.15. The issue manifests when developers use the values() and values_list() methods on models containing JSONField columns, creating a path for SQL injection attacks through improper sanitization of column aliases. The flaw occurs because Django fails to adequately escape or validate JSON object keys when they are used as column aliases in SQL queries, allowing maliciously crafted JSON keys to inject arbitrary SQL code into the generated queries.
The technical exploitation occurs at the query compilation layer where Django translates Python method calls into SQL statements. When a JSONField is processed through values() or values_list() with JSON object keys as arguments, the framework constructs column aliases without proper input validation. This creates a scenario where an attacker can craft a JSON object with specially designed keys that, when processed as column aliases, result in malformed SQL statements. The vulnerability specifically targets the alias generation mechanism in Django's query builder, where JSON keys are directly incorporated into SQL column references without adequate sanitization.
Operationally, this vulnerability poses significant risk to applications that utilize JSONField data types and employ QuerySet values() or values_list() methods for data retrieval. Attackers could potentially execute unauthorized database operations, extract sensitive information, or manipulate data through crafted JSON inputs. The impact extends beyond simple data exposure as the injection could potentially enable privilege escalation or denial of service conditions depending on the database configuration and application permissions. This vulnerability affects both Django 4.2.x and 5.0.x release lines, representing a widespread issue across multiple supported versions.
Security mitigations for this vulnerability include upgrading to Django versions 5.0.8 or 4.2.15 and later, which contain the necessary patches to properly sanitize JSON object keys used as column aliases. Organizations should also implement input validation measures at application level to prevent malicious JSON structures from reaching the QuerySet methods. The fix addresses the underlying CWE-74 issue related to improper neutralization of special elements in SQL commands, aligning with ATT&CK technique T1071.004 for application layer attacks. Additionally, developers should review their codebase for any custom QuerySet operations that might be vulnerable and ensure proper parameterization of all database interactions. The vulnerability demonstrates the importance of input validation in ORM frameworks and highlights the need for comprehensive security testing of data serialization mechanisms within web applications.