An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg.

The remote Redhat Enterprise Linux 8 / 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:8906 advisory.

    Red Hat Satellite is a system management solution that allows organizations to configure and maintain     their systems without the necessity to provide public Internet access to their servers or other client     systems. It performs provisioning and configuration management of predefined standard operating     environments.

    Security Fix(es):

    * mosquitto: sending specific sequences of packets may trigger memory leak     (CVE-2024-8376)
    * micromatch: vulnerable to Regular Expression Denial of Service (CVE-2024-4067)     urllib3: proxy-authorization request header is not stripped during cross-origin redirects (CVE-2024-37891)
    * node-tar: denial of service while parsing a tar file due to lack of folders depth validation     (CVE-2024-28863)
    * python-django: Potential denial-of-service in django.utils.html.urlize() (CVE-2024-38875)
    * python-django: Username enumeration through timing difference for users with unusable passwords     (CVE-2024-39329)
    * python-django: Potential directory-traversal in django.core.files.storage.Storage.save()     (CVE-2024-39330)
    * python-django: Potential denial-of-service in django.utils.translation.get_supported_language_variant()     (CVE-2024-39614)
    * github.com/jaraco/zipp: Denial of Service (infinite loop) via crafted zip file in jaraco/zipp     (CVE-2024-5569)
    * puppet-foreman: An authentication bypass vulnerability exists in Foreman (CVE-2024-7012)
    * python-django: Potential SQL injection in QuerySet.values() and values_list() (CVE-2024-42005)
    * grpc: client communicating with a HTTP/2 proxy can poison the HPACK table between the proxy and the     backend (CVE-2024-7246)
    * puppet-pulpcore: An authentication bypass vulnerability exists in pulpcore (CVE-2024-7923)
    * foreman: Read-only access to entire DB from templates (CVE-2024-8553)

    Users of Red Hat Satellite are advised to upgrade to these updated packages, which fix these bugs.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2024-12803 advisory.

    Oracle Linux Automation Manager 2.2

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 / 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:6428 advisory.

    Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing     IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to     individual teams, while automation developers retain the freedom to write tasks that leverage existing     knowledge without the overhead. Ansible Automation Platform makes it possible for users across an     organization to share, vet, and manage automation content by means of a simple, powerful, and agentless     language.

    Security Fix(es):

    * automation-controller: Django: Potential SQL injection in QuerySet.values() and values_list()     (CVE-2024-42005)
    * automation-controller: Django: Potential denial-of-service vulnerability in django.utils.html.urlize()     and AdminURLFieldWidget (CVE-2024-41991)
    * automation-controller: Django: Potential denial-of-service vulnerability in django.utils.html.urlize()     (CVE-2024-41990)
    * automation-controller: python-jose: algorithm confusion with OpenSSH ECDSA keys and other key formats     (CVE-2024-33663)
    * automation-controller: python-social-auth: Improper Handling of Case Sensitivity in social-auth-app-     django (CVE-2024-32879)
    * automation-controller: Gain access to the k8s API server via job execution with Container Group     (CVE-2024-6840)
    * python3/python39-django: Potential SQL injection in QuerySet.values() and values_list() (CVE-2024-42005)
    * python3/python39-django: Potential denial-of-service vulnerability in django.utils.html.urlize() and     AdminURLFieldWidget (CVE-2024-41991)
    * python3/python39-django: Potential denial-of-service vulnerability in django.utils.html.urlize()     (CVE-2024-41990)
    * python3/python39-django: Memory exhaustion in django.utils.numberformat.floatformat() (CVE-2024-41989)
    * python3/python39-django: Potential denial-of-service in     django.utils.translation.get_supported_language_variant() (CVE-2024-39614)
    * python3/python39-django: Potential directory-traversal in django.core.files.storage.Storage.save()     (CVE-2024-39330)
    * python3/python39-django: Username enumeration through timing difference for users with unusable     passwords (CVE-2024-39329)
    * python3/python39-django: Potential denial-of-service in django.utils.html.urlize() (CVE-2024-38875)
    * python3/python39-grpcio: client communicating with a HTTP/2 proxy can poison the HPACK table between the     proxy and the backend (CVE-2024-7246)
    * python3/python39-zipp: Denial of Service (infinite loop) via crafted zip file (CVE-2024-5569)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    Updates and fixes for automation controller:
    * Updated the receptor to not automatically release the receptor work unit when     RECEPTOR_KEEP_WORK_ON_ERROR is set to true (AAP-27635)
    * Updated the Help link in the REST API to point to the latest API Reference documentation (AAP-27573)
    * Fixed a timeout error in the UI when trying to load the Activity Stream (AAP-26772)
    * automation-controller has been updated to 4.5.10

    Updates and fixes for automation hub:
    * API browser now correctly escapes JSON values (AAH-3272, AAP-14463)
    * python3/python39-pulpcore has been updated to 3.28.31
    * python3/python39-pulp-ansible has been updated to 0.20.8

    Additional fixes:
    * Gunicorn python package will no longer obsolete itself when checking for or applying updates (AAP-28364)
    * python3/python39-django has been updated to 4.2.15
    * python3/python39-grpcio has been updated to 1.58.3
    * python3/python39-jmespath has been updated to 0.10.0-5
    * python3/python39-zipp has been updated to 3.19.2

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / openSUSE 15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:2816-1 advisory.

    - CVE-2024-42005: Fixed SQL injection in QuerySet.values() and values_list() (bsc#1228629)
    - CVE-2024-41989: Fixed Memory exhaustion in django.utils.numberformat.floatformat() (bsc#1228630)
    - CVE-2024-41990: Fixed denial-of-service vulnerability in django.utils.html.urlize() (bsc#1228631)
    - CVE-2024-41991: Fixed another denial-of-service vulnerability in django.utils.html.urlize()     (bsc#1228632)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote openSUSE 15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:2817-1 advisory.

    - CVE-2024-42005: Fixed SQL injection in QuerySet.values() and values_list() (bsc#1228629)
    - CVE-2024-41989: Fixed Memory exhaustion in django.utils.numberformat.floatformat() (bsc#1228630)
    - CVE-2024-41990: Fixed denial-of-service vulnerability in django.utils.html.urlize() (bsc#1228631)
    - CVE-2024-41991: Fixed another denial-of-service vulnerability in django.utils.html.urlize()     (bsc#1228632)
    - CVE-2022-28346: Fixed SQL injection in QuerySet.annotate(),aggregate() and extra() (bsc#1198398)
    - CVE-2019-12308: Fixed XSS in AdminURLFieldWidget (bsc#1136468)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the 94d441d2-5497-11ef-9d2f-080027836e8b advisory.

    Django reports:
    CVE-2024-41989: Memory exhaustion in django.utils.numberformat.floatformat().
    CVE-2024-41990: Potential denial-of-service in django.utils.html.urlize().
    CVE-2024-41991: Potential denial-of-service vulnerability in                 django.utils.html.urlize() and AdminURLFieldWidget.
    CVE-2024-42005: Potential SQL injection in QuerySet.values() and values_list().

Tenable has extracted the preceding description block directly from the FreeBSD security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-6946-1 advisory.

    It was discovered that Django incorrectly handled certain strings in floatformat function. An attacker     could possibly use this issue to cause a memory exhaustion. (CVE-2024-41989)

    It was discovered that Django incorrectly handled very large inputs. An attacker could possibly use this     issue to cause a denial of service. (CVE-2024-41990)

    It was discovered that Django in AdminURLFieldWidget incorrectly handled certain inputs with a very large     number of Unicode characters. An attacker could possibly use this issue to cause a denial of service.
    (CVE-2024-41991)

    It was discovered that Django incorrectly handled certain JSON objects. An attacker could possibly use     this issue to cause a potential SQL injection. This issue only affected Ubuntu 22.04 LTS, and Ubuntu 24.04     LTS. (CVE-2024-42005)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
210402	RHEL 8 / 9 : Satellite 6.16.0 (Critical) (RHSA-2024:8906)	Nessus	Red Hat Local Security Checks	critical
210229	Oracle Linux 8 : Oracle / Linux / Automation / Manager / 2.2 / (MODERATE) (ELSA-2024-12803)	Nessus	Oracle Linux Local Security Checks	high
206781	RHEL 8 / 9 : Red Hat Ansible Automation Platform 2.4 Product Security and Bug Fix Update (Moderate) (RHSA-2024:6428)	Nessus	Red Hat Local Security Checks	high
205186	SUSE SLES15 / openSUSE 15 Security Update : python-Django (SUSE-SU-2024:2816-1)	Nessus	SuSE Local Security Checks	high
205169	openSUSE 15 Security Update : python-Django (SUSE-SU-2024:2817-1)	Nessus	SuSE Local Security Checks	critical
205160	FreeBSD : Django -- multiple vulnerabilities (94d441d2-5497-11ef-9d2f-080027836e8b)	Nessus	FreeBSD Local Security Checks	high
205111	Ubuntu 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS : Django vulnerabilities (USN-6946-1)	Nessus	Ubuntu Local Security Checks	high

Detections

Analytics

CVE-2024-42005

high

Tenable Plugins

critical

high

high

high

critical

high

high