[5.0.x] Fixed CVE-2024-42005 -- Mitigated QuerySet.values() SQL injection attacks against JSON fields.

Thanks Eyal (eyalgabay) for the report.

2 files changed, 14 insertions, 0 deletions

diff --git a/docs/releases/4.2.15.txt b/docs/releases/4.2.15.txt
index 1c6a1c7ede..b1d4684596 100644
--- a/docs/releases/4.2.15.txt
+++ b/docs/releases/4.2.15.txt
@@ -30,6 +30,13 @@ CVE-2024-41991: Potential denial-of-service vulnerability in ``django.utils.html
 subject to a potential denial-of-service attack via certain inputs with a very
 large number of Unicode characters.
 
+CVE-2024-42005: Potential SQL injection in ``QuerySet.values()`` and ``values_list()``
+======================================================================================
+
+:meth:`.QuerySet.values` and :meth:`~.QuerySet.values_list` methods on models
+with a ``JSONField`` were subject to SQL injection in column aliases, via a
+crafted JSON object key as a passed ``*arg``.
+
 Bugfixes
 ========
 
diff --git a/docs/releases/5.0.8.txt b/docs/releases/5.0.8.txt
index 2a0823d0ca..37f51f71c7 100644
--- a/docs/releases/5.0.8.txt
+++ b/docs/releases/5.0.8.txt
@@ -30,6 +30,13 @@ CVE-2024-41991: Potential denial-of-service vulnerability in ``django.utils.html
 subject to a potential denial-of-service attack via certain inputs with a very
 large number of Unicode characters.
 
+CVE-2024-42005: Potential SQL injection in ``QuerySet.values()`` and ``values_list()``
+======================================================================================
+
+:meth:`.QuerySet.values` and :meth:`~.QuerySet.values_list` methods on models
+with a ``JSONField`` were subject to SQL injection in column aliases, via a
+crafted JSON object key as a passed ``*arg``.
+
 Bugfixes
 ========