{
  "threat_severity" : "Important",
  "public_date" : "2025-09-03T00:00:00Z",
  "bugzilla" : {
    "description" : "django: Django SQL injection in FilteredRelation column aliases",
    "id" : "2392990",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2392990"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-89",
  "details" : [ "An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed QuerySet.annotate() or QuerySet.alias().", "An SQL injection flaw has been discovered in the Django web framework. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed QuerySet.annotate() or QuerySet.alias()." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Ansible Automation Platform 2.4 for RHEL 8",
    "release_date" : "2025-09-22T00:00:00Z",
    "advisory" : "RHSA-2025:16403",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.4::el8",
    "package" : "python3x-django-0:4.2.24-1.el8ap"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2.4 for RHEL 8",
    "release_date" : "2025-09-22T00:00:00Z",
    "advisory" : "RHSA-2025:16404",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.4::el8",
    "package" : "ansible-automation-platform-24/lightspeed-rhel8:2.4.250225-18"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2.4 for RHEL 9",
    "release_date" : "2025-09-22T00:00:00Z",
    "advisory" : "RHSA-2025:16403",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.4::el9",
    "package" : "python-django-0:4.2.24-1.el9ap"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 8",
    "release_date" : "2025-09-23T00:00:00Z",
    "advisory" : "RHSA-2025:16487",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el8",
    "package" : "automation-controller-0:4.6.20-1.el8ap"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 8",
    "release_date" : "2025-09-23T00:00:00Z",
    "advisory" : "RHSA-2025:16487",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el8",
    "package" : "python3.11-django-0:4.2.24-1.el8ap"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 8",
    "release_date" : "2025-09-23T00:00:00Z",
    "advisory" : "RHSA-2025:16514",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el8",
    "package" : "ansible-automation-platform-25/lightspeed-rhel8:2.5.250924-1"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 9",
    "release_date" : "2025-09-23T00:00:00Z",
    "advisory" : "RHSA-2025:16487",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el9",
    "package" : "automation-controller-0:4.6.20-1.el9ap"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 9",
    "release_date" : "2025-09-23T00:00:00Z",
    "advisory" : "RHSA-2025:16487",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el9",
    "package" : "python3.11-django-0:4.2.24-1.el9ap"
  }, {
    "product_name" : "Red Hat OpenStack Platform 16.2",
    "release_date" : "2025-10-07T00:00:00Z",
    "advisory" : "RHSA-2025:17499",
    "cpe" : "cpe:/a:redhat:openstack:16.2::el8",
    "package" : "python-django20-0:2.0.13-20.el8ost"
  }, {
    "product_name" : "Red Hat OpenStack Platform 17.1 for RHEL 9",
    "release_date" : "2025-10-07T00:00:00Z",
    "advisory" : "RHSA-2025:17498",
    "cpe" : "cpe:/a:redhat:openstack:17.1::el9",
    "package" : "python-django-0:2.2.24-12.el9ost"
  }, {
    "product_name" : "Red Hat OpenStack Services on OpenShift 18.0",
    "release_date" : "2025-10-07T00:00:00Z",
    "advisory" : "RHSA-2025:17500",
    "cpe" : "cpe:/a:redhat:openstack:18.0::el9",
    "package" : "python-django-0:3.2.12-9.el9ost"
  }, {
    "product_name" : "Red Hat Satellite 6.15 for RHEL 8",
    "release_date" : "2025-10-08T00:00:00Z",
    "advisory" : "RHSA-2025:17614",
    "cpe" : "cpe:/a:redhat:satellite:6.15::el8",
    "package" : "python-django-0:4.2.24-0.1.el8pc"
  }, {
    "product_name" : "Red Hat Satellite 6.15 for RHEL 8",
    "release_date" : "2025-10-08T00:00:00Z",
    "advisory" : "RHSA-2025:17614",
    "cpe" : "cpe:/a:redhat:satellite_capsule:6.15::el8",
    "package" : "python-django-0:4.2.24-0.1.el8pc"
  }, {
    "product_name" : "Red Hat Satellite 6.16 for RHEL 8",
    "release_date" : "2025-10-08T00:00:00Z",
    "advisory" : "RHSA-2025:17613",
    "cpe" : "cpe:/a:redhat:satellite:6.16::el8",
    "package" : "python-django-0:4.2.24-0.1.el8pc"
  }, {
    "product_name" : "Red Hat Satellite 6.16 for RHEL 8",
    "release_date" : "2025-10-08T00:00:00Z",
    "advisory" : "RHSA-2025:17613",
    "cpe" : "cpe:/a:redhat:satellite_capsule:6.16::el8",
    "package" : "python-django-0:4.2.24-0.1.el8pc"
  }, {
    "product_name" : "Red Hat Satellite 6.16 for RHEL 9",
    "release_date" : "2025-10-08T00:00:00Z",
    "advisory" : "RHSA-2025:17613",
    "cpe" : "cpe:/a:redhat:satellite:6.16::el9",
    "package" : "python-django-0:4.2.24-0.1.el9pc"
  }, {
    "product_name" : "Red Hat Satellite 6.16 for RHEL 9",
    "release_date" : "2025-10-08T00:00:00Z",
    "advisory" : "RHSA-2025:17613",
    "cpe" : "cpe:/a:redhat:satellite_capsule:6.16::el9",
    "package" : "python-django-0:4.2.24-0.1.el9pc"
  }, {
    "product_name" : "Red Hat Satellite 6.17 for RHEL 9",
    "release_date" : "2025-10-08T00:00:00Z",
    "advisory" : "RHSA-2025:17606",
    "cpe" : "cpe:/a:redhat:satellite:6.17::el9",
    "package" : "python-django-0:4.2.24-0.1.el9pc"
  }, {
    "product_name" : "Red Hat Satellite 6.17 for RHEL 9",
    "release_date" : "2025-10-08T00:00:00Z",
    "advisory" : "RHSA-2025:17606",
    "cpe" : "cpe:/a:redhat:satellite_capsule:6.17::el9",
    "package" : "python-django-0:4.2.24-0.1.el9pc"
  } ],
  "package_state" : [ {
    "product_name" : "OpenShift Service Mesh 3",
    "fix_state" : "Not affected",
    "package_name" : "openshift-service-mesh/istio-cni-rhel9",
    "cpe" : "cpe:/a:redhat:service_mesh:3"
  }, {
    "product_name" : "OpenShift Service Mesh 3",
    "fix_state" : "Not affected",
    "package_name" : "openshift-service-mesh/istio-must-gather-rhel9",
    "cpe" : "cpe:/a:redhat:service_mesh:3"
  }, {
    "product_name" : "OpenShift Service Mesh 3",
    "fix_state" : "Not affected",
    "package_name" : "openshift-service-mesh/istio-pilot-rhel9",
    "cpe" : "cpe:/a:redhat:service_mesh:3"
  }, {
    "product_name" : "OpenShift Service Mesh 3",
    "fix_state" : "Not affected",
    "package_name" : "openshift-service-mesh/istio-proxyv2-rhel9",
    "cpe" : "cpe:/a:redhat:service_mesh:3"
  }, {
    "product_name" : "OpenShift Service Mesh 3",
    "fix_state" : "Not affected",
    "package_name" : "openshift-service-mesh/istio-rhel9-operator",
    "cpe" : "cpe:/a:redhat:service_mesh:3"
  }, {
    "product_name" : "OpenShift Service Mesh 3",
    "fix_state" : "Not affected",
    "package_name" : "openshift-service-mesh/istio-sail-operator-bundle",
    "cpe" : "cpe:/a:redhat:service_mesh:3"
  }, {
    "product_name" : "OpenShift Service Mesh 3",
    "fix_state" : "Not affected",
    "package_name" : "openshift-service-mesh-tech-preview/istio-ztunnel-rhel9",
    "cpe" : "cpe:/a:redhat:service_mesh:3"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Affected",
    "package_name" : "ansible-automation-platform-24/lightspeed-rhel8",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Not affected",
    "package_name" : "ansible-automation-platform-25/ansible-dev-tools-rhel8",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Affected",
    "package_name" : "ansible-automation-platform-25/lightspeed-rhel8",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Not affected",
    "package_name" : "ansible-automation-platform-tech-preview/ansible-devspaces-rhel9",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Certification for Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "python-django",
    "cpe" : "cpe:/a:redhat:certifications:1::el7"
  }, {
    "product_name" : "Red Hat Update Infrastructure 4 for Cloud Providers",
    "fix_state" : "Will not fix",
    "package_name" : "python-django",
    "cpe" : "cpe:/a:redhat:rhui:4::el8"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-57833\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-57833\nhttps://docs.djangoproject.com/en/dev/releases/security/\nhttps://groups.google.com/g/django-announce\nhttps://www.djangoproject.com/weblog/2025/sep/03/security-releases/" ],
  "name" : "CVE-2025-57833",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}