CVE-2024-42005 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2024-42005 Interim 1 10 2026-03-05T02:17:54Z current 2024-08-07T23:10:28Z 2026-03-05T02:17:54Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2024-42005 An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://lists.suse.com/pipermail/sle-security-updates/2024-August/019140.html E-Mail link for SUSE-SU-2024:2816-1 https://lists.suse.com/pipermail/sle-security-updates/2024-August/019139.html E-Mail link for SUSE-SU-2024:2817-1 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/AVXH6TTRGIUJPHG6XVNN3KNBVNT5ELJK/ E-Mail link for openSUSE-SU-2024:0272-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings Image SLE-Micro Image SLE-Micro-BYOS Image SLE-Micro-BYOS-EC2 Image SLE-Micro-EC2 SUSE Linux Enterprise Module for Package Hub 15 SP6 SUSE Linux Enterprise Module for Package Hub 15 SP7 openSUSE Leap 15.5 openSUSE Leap 15.6 openSUSE Tumbleweed python3-Django-2.0.7-150000.1.27.1 python310-Django-5.0.8-1.1 python310-Django4-4.2.15-1.1 python311-Django-4.2.11-150600.3.6.1 python311-Django-5.0.8-1.1 python311-Django4-4.2.15-1.1 python312-Django-5.0.8-1.1 python312-Django4-4.2.15-1.1 python312-Django6-6.0-1.1 python313-Django6-6.0-1.1 regionServiceClientConfigEC2-5.0.0-slfo.1.1_1.1 regionServiceClientConfigEC2-5.0.0-slfo.1.1_1.1 as a component of Image SLE-Micro regionServiceClientConfigEC2-5.0.0-slfo.1.1_1.1 as a component of Image SLE-Micro-BYOS regionServiceClientConfigEC2-5.0.0-slfo.1.1_1.1 as a component of Image SLE-Micro-BYOS-EC2 regionServiceClientConfigEC2-5.0.0-slfo.1.1_1.1 as a component of Image SLE-Micro-EC2 python311-Django-4.2.11-150600.3.6.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP6 python311-Django-4.2.11-150600.3.6.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP7 python3-Django-2.0.7-150000.1.27.1 as a component of openSUSE Leap 15.5 python311-Django-4.2.11-150600.3.6.1 as a component of openSUSE Leap 15.6 python310-Django-5.0.8-1.1 as a component of openSUSE Tumbleweed python310-Django4-4.2.15-1.1 as a component of openSUSE Tumbleweed python311-Django-5.0.8-1.1 as a component of openSUSE Tumbleweed python311-Django4-4.2.15-1.1 as a component of openSUSE Tumbleweed python312-Django-5.0.8-1.1 as a component of openSUSE Tumbleweed python312-Django4-4.2.15-1.1 as a component of openSUSE Tumbleweed python312-Django6-6.0-1.1 as a component of openSUSE Tumbleweed python313-Django6-6.0-1.1 as a component of openSUSE Tumbleweed An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg. CVE-2024-42005 Image SLE-Micro:regionServiceClientConfigEC2-5.0.0-slfo.1.1_1.1 Image SLE-Micro-BYOS:regionServiceClientConfigEC2-5.0.0-slfo.1.1_1.1 Image SLE-Micro-BYOS-EC2:regionServiceClientConfigEC2-5.0.0-slfo.1.1_1.1 Image SLE-Micro-EC2:regionServiceClientConfigEC2-5.0.0-slfo.1.1_1.1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SP7:python3-Django-2.0.7-150000.1.27.1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SP7:python311-Django-4.2.11-150600.3.6.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:python311-Django-4.2.11-150600.3.6.1 SUSE Linux Enterprise Module for Package Hub 15 SP7:python311-Django-4.2.11-150600.3.6.1 openSUSE Leap 15.5:python3-Django-2.0.7-150000.1.27.1 openSUSE Leap 15.6:python311-Django-4.2.11-150600.3.6.1 openSUSE Tumbleweed:python310-Django-5.0.8-1.1 openSUSE Tumbleweed:python310-Django4-4.2.15-1.1 openSUSE Tumbleweed:python311-Django-5.0.8-1.1 openSUSE Tumbleweed:python311-Django4-4.2.15-1.1 openSUSE Tumbleweed:python312-Django-5.0.8-1.1 openSUSE Tumbleweed:python312-Django4-4.2.15-1.1 openSUSE Tumbleweed:python312-Django6-6.0-1.1 openSUSE Tumbleweed:python313-Django6-6.0-1.1 important 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H