Search for vulnerabilities
Vulnerability details: VCID-c94m-sbts-aaae
Vulnerability ID VCID-c94m-sbts-aaae
Aliases BIT-django-2024-42005
CVE-2024-42005
GHSA-pv4p-cwwg-4rph
PYSEC-2024-70
Summary An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg.
Status Published
Exploitability 0.5
Weighted Severity 9.0
Risk 4.5
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 7.3 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-42005.json
epss 0.00052 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00052 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00052 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00052 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00052 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00052 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00052 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00052 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00052 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00052 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00052 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00052 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00052 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00052 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00052 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00052 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00147 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00147 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00147 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00147 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00147 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00147 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00147 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00147 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00172 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00172 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00172 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00172 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00172 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00172 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00172 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00201 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00201 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00224 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00228 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00228 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00228 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00228 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00228 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00228 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00228 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00228 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00228 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00228 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00228 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00228 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00228 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00228 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00228 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00228 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00228 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00228 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00228 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00242 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00242 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00247 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00247 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00247 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00247 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00247 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00247 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00247 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00247 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00285 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00291 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00291 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00291 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00291 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00291 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00291 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00291 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00291 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00291 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00291 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00291 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00291 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00315 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00315 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00315 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00315 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00315 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00315 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00315 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00315 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00315 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00315 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00315 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00414 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00414 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00414 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
epss 0.00423 https://api.first.org/data/v1/epss?cve=CVE-2024-42005
cvssv3.1 3.7 https://docs.djangoproject.com/en/dev/releases/security
generic_textual MODERATE https://docs.djangoproject.com/en/dev/releases/security
generic_textual Medium https://docs.djangoproject.com/en/dev/releases/security/
cvssv3.1 8.1 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr CRITICAL https://github.com/advisories/GHSA-pv4p-cwwg-4rph
cvssv3.1 3.7 https://github.com/django/django
generic_textual MODERATE https://github.com/django/django
cvssv3.1 9.1 https://github.com/django/django/commit/32ebcbf2e1fe3e5ba79a6554a167efce81f7422d
generic_textual CRITICAL https://github.com/django/django/commit/32ebcbf2e1fe3e5ba79a6554a167efce81f7422d
cvssv3.1 9.1 https://github.com/django/django/commit/f4af67b9b41e0f4c117a8741da3abbd1c869ab28
generic_textual CRITICAL https://github.com/django/django/commit/f4af67b9b41e0f4c117a8741da3abbd1c869ab28
cvssv3.1 9.1 https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2024-70.yaml
generic_textual CRITICAL https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2024-70.yaml
cvssv3.1 3.7 https://groups.google.com/forum/#%21forum/django-announce
generic_textual MODERATE https://groups.google.com/forum/#%21forum/django-announce
cvssv3.1 7.3 https://nvd.nist.gov/vuln/detail/CVE-2024-42005
cvssv3.1 9.1 https://nvd.nist.gov/vuln/detail/CVE-2024-42005
generic_textual CRITICAL https://nvd.nist.gov/vuln/detail/CVE-2024-42005
cvssv3.1 9.1 https://www.djangoproject.com/weblog/2024/aug/06/security-releases
generic_textual CRITICAL https://www.djangoproject.com/weblog/2024/aug/06/security-releases
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-42005.json
https://api.first.org/data/v1/epss?cve=CVE-2024-42005
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42005
https://docs.djangoproject.com/en/dev/releases/security
https://docs.djangoproject.com/en/dev/releases/security/
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/django/django
https://github.com/django/django/commit/32ebcbf2e1fe3e5ba79a6554a167efce81f7422d
https://github.com/django/django/commit/f4af67b9b41e0f4c117a8741da3abbd1c869ab28
https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2024-70.yaml
https://groups.google.com/forum/#%21forum/django-announce
https://nvd.nist.gov/vuln/detail/CVE-2024-42005
https://www.djangoproject.com/weblog/2024/aug/06/security-releases
https://www.djangoproject.com/weblog/2024/aug/06/security-releases/
1078074 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1078074
2302436 https://bugzilla.redhat.com/show_bug.cgi?id=2302436
cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*
GHSA-pv4p-cwwg-4rph https://github.com/advisories/GHSA-pv4p-cwwg-4rph
RHSA-2024:8906 https://access.redhat.com/errata/RHSA-2024:8906
RHSA-2025:1249 https://access.redhat.com/errata/RHSA-2025:1249
RHSA-2025:1335 https://access.redhat.com/errata/RHSA-2025:1335
USN-6946-1 https://usn.ubuntu.com/6946-1/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-42005.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://docs.djangoproject.com/en/dev/releases/security
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/django/django
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://github.com/django/django/commit/32ebcbf2e1fe3e5ba79a6554a167efce81f7422d
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://github.com/django/django/commit/f4af67b9b41e0f4c117a8741da3abbd1c869ab28
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2024-70.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://groups.google.com/forum/#%21forum/django-announce
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Found at https://nvd.nist.gov/vuln/detail/CVE-2024-42005
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2024-42005
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://www.djangoproject.com/weblog/2024/aug/06/security-releases
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.21584
EPSS Score 0.00052
Published At Nov. 1, 2024, midnight
Date Actor Action Source VulnerableCode Version
2024-07-31T12:46:41.803165+00:00 SUSE Severity Score Importer Import https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml 34.0.0rc4