Django 4.2.17 release notes¶

December 4, 2024

Django 4.2.17 fixes one security issue with severity “high” and one security issue with severity “moderate” in 4.2.16.

CVE-2024-53907: Denial-of-service possibility in `strip_tags()`¶

strip_tags() would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities. The strip_tags() method is used to implement the corresponding striptags template filter, which was thus also vulnerable.

strip_tags() now has an upper limit of recursive calls to HTMLParser before raising a SuspiciousOperation exception.

Remember that absolutely NO guarantee is provided about the results of strip_tags() being HTML safe. So NEVER mark safe the result of a strip_tags() call without escaping it first, for example with django.utils.html.escape().

CVE-2024-53908: Potential SQL injection via `HasKey(lhs, rhs)` on Oracle¶

Direct usage of the django.db.models.fields.json.HasKey lookup on Oracle was subject to SQL injection if untrusted data was used as a lhs value.

Applications that use the has_key lookup through the __ syntax are unaffected.

Django 4.2.21 documentation

Django 4.2.17 release notes¶

CVE-2024-53907: Denial-of-service possibility in `strip_tags()`¶

CVE-2024-53908: Potential SQL injection via `HasKey(lhs, rhs)` on Oracle¶

Table of Contents

Previous topic

Next topic

Last update:

Django 4.2.21 documentation

Django 4.2.17 release notes¶

CVE-2024-53907: Denial-of-service possibility in strip_tags()¶

CVE-2024-53908: Potential SQL injection via HasKey(lhs, rhs) on Oracle¶

Last update:

CVE-2024-53907: Denial-of-service possibility in `strip_tags()`¶

CVE-2024-53908: Potential SQL injection via `HasKey(lhs, rhs)` on Oracle¶