Show plain JSON{"affected_release": [{"advisory": "RHSA-2025:1249", "cpe": "cpe:/o:redhat:discovery:1.0::el9", "package": "discovery/discovery-server-rhel9:1.12.0-1", "product_name": "Discovery 1 for RHEL 9", "release_date": "2025-02-10T00:00:00Z"}, {"advisory": "RHSA-2025:1249", "cpe": "cpe:/o:redhat:discovery:1.0::el9", "package": "discovery/discovery-ui-rhel9:1.12.0-1", "product_name": "Discovery 1 for RHEL 9", "release_date": "2025-02-10T00:00:00Z"}, {"advisory": "RHSA-2024:6428", "cpe": "cpe:/a:redhat:ansible_automation_platform:2.4::el8", "package": "automation-controller-0:4.5.10-1.el8ap", "product_name": "Red Hat Ansible Automation Platform 2.4 for RHEL 8", "release_date": "2024-09-05T00:00:00Z"}, {"advisory": "RHSA-2024:6428", "cpe": "cpe:/a:redhat:ansible_automation_platform:2.4::el8", "package": "python3x-django-0:4.2.15-1.el8ap", "product_name": "Red Hat Ansible Automation Platform 2.4 for RHEL 8", "release_date": "2024-09-05T00:00:00Z"}, {"advisory": "RHSA-2024:6428", "cpe": "cpe:/a:redhat:ansible_automation_platform:2.4::el9", "package": "automation-controller-0:4.5.10-1.el9ap", "product_name": "Red Hat Ansible Automation Platform 2.4 for RHEL 9", "release_date": "2024-09-05T00:00:00Z"}, {"advisory": "RHSA-2024:6428", "cpe": "cpe:/a:redhat:ansible_automation_platform:2.4::el9", "package": "python-django-0:4.2.15-1.el9ap", "product_name": "Red Hat Ansible Automation Platform 2.4 for RHEL 9", "release_date": "2024-09-05T00:00:00Z"}, {"advisory": "RHSA-2024:8906", "cpe": "cpe:/a:redhat:satellite:6.16::el8", "package": "python-django-0:4.2.16-1.el8pc", "product_name": "Red Hat Satellite 6.16 for RHEL 8", "release_date": "2024-11-05T00:00:00Z"}, {"advisory": "RHSA-2024:8906", "cpe": "cpe:/a:redhat:satellite_capsule:6.16::el8", "package": "python-django-0:4.2.16-1.el8pc", "product_name": "Red Hat Satellite 6.16 for RHEL 8", "release_date": "2024-11-05T00:00:00Z"}, {"advisory": "RHSA-2024:8906", "cpe": "cpe:/a:redhat:satellite:6.16::el9", "package": "python-django-0:4.2.16-1.el9pc", "product_name": "Red Hat Satellite 6.16 for RHEL 9", "release_date": "2024-11-05T00:00:00Z"}, {"advisory": "RHSA-2024:8906", "cpe": "cpe:/a:redhat:satellite_capsule:6.16::el9", "package": "python-django-0:4.2.16-1.el9pc", "product_name": "Red Hat Satellite 6.16 for RHEL 9", "release_date": "2024-11-05T00:00:00Z"}, {"advisory": "RHSA-2025:1335", "cpe": "cpe:/a:redhat:rhui:4::el8", "package": "python-django-0:4.2.15-1.el8ui", "product_name": "RHUI 4 for RHEL 8", "release_date": "2025-02-12T00:00:00Z"}], "bugzilla": {"description": "python-django: Potential SQL injection in QuerySet.values() and values_list()", "id": "2302436", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2302436"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "status": "verified"}, "cwe": "CWE-89", "details": ["An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg.", "A flaw was found in Django. The QuerySet.values() and QuerySet.values_list() methods on models with a JSONField were subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-42005", "package_state": [{"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "ansible-automation-platform-24/ee-dellemc-openmanage-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "ansible-automation-platform-24/lightspeed-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "ansible-automation-platform-24/platform-resource-runner-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:certifications:1::el8", "fix_state": "Affected", "package_name": "redhat-certification", "product_name": "Red Hat Certification for Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:certifications:1::el9", "fix_state": "Affected", "package_name": "redhat-certification", "product_name": "Red Hat Certification for Red Hat Enterprise Linux 9"}], "public_date": "2024-08-06T13:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-42005\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-42005\nhttps://www.djangoproject.com/weblog/2024/aug/06/security-releases/"], "statement": "This vulnerability is considered of moderate severity rather than high or critical because it requires specific conditions to be exploitable. The potential for SQL injection exists only when QuerySet.values() or values_list() methods are used on models with a JSONField, and an attacker must have control over the JSON object keys passed as arguments. In typical use cases, these methods are often used with predefined or controlled data, limiting the attack surface. Furthermore, the impact is constrained to the manipulation of column aliases, rather than direct injection into more critical parts of the SQL query, reducing the overall risk compared to more direct forms of SQL injection vulnerabilities.", "threat_severity": "Moderate"}