Fixed CVE-2024-53908 -- Prevented SQL injections in direct HasKeyLookup usage on Oracle.

Thanks Seokchan Yoon for the report, and Mariusz Felisiak and Sarah Boyce for the reviews.
author: Simon Charette <charette.s@gmail.com> 2024-11-08 21:27:31 -0500
committer: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> 2024-12-04 13:43:13 +0100
commit: 8f8dc5a1fca7d076e749f307f6573af3512e7e99 (patch)
tree: a67db349f768eb36c7e932104ceb36e009b848f2 /docs
parent: 49ff1042aa66bb25eda87e9a8ef82f3b0ad4eeba (diff)
3 files changed, 27 insertions, 0 deletions
diff --git a/docs/releases/4.2.17.txt b/docs/releases/4.2.17.txt
index 9db07f6da7..9a6aee3db6 100644
--- a/docs/releases/4.2.17.txt
+++ b/docs/releases/4.2.17.txt
@@ -22,3 +22,12 @@ Remember that absolutely NO guarantee is provided about the results of
 ``strip_tags()`` being HTML safe. So NEVER mark safe the result of a
 ``strip_tags()`` call without escaping it first, for example with
 :func:`django.utils.html.escape`.
+
+CVE-2024-53908: Potential SQL injection via ``HasKey(lhs, rhs)`` on Oracle
+==========================================================================
+
+Direct usage of the ``django.db.models.fields.json.HasKey`` lookup on Oracle
+was subject to SQL injection if untrusted data was used as a ``lhs`` value.
+
+Applications that use the :lookup:`has_key <jsonfield.has_key>` lookup through
+the ``__`` syntax are unaffected.
diff --git a/docs/releases/5.0.10.txt b/docs/releases/5.0.10.txt
index 54569516a5..ae1fbf99e4 100644
--- a/docs/releases/5.0.10.txt
+++ b/docs/releases/5.0.10.txt
@@ -22,3 +22,12 @@ Remember that absolutely NO guarantee is provided about the results of
 ``strip_tags()`` being HTML safe. So NEVER mark safe the result of a
 ``strip_tags()`` call without escaping it first, for example with
 :func:`django.utils.html.escape`.
+
+CVE-2024-53908: Potential SQL injection via ``HasKey(lhs, rhs)`` on Oracle
+==========================================================================
+
+Direct usage of the ``django.db.models.fields.json.HasKey`` lookup on Oracle
+was subject to SQL injection if untrusted data was used as a ``lhs`` value.
+
+Applications that use the :lookup:`has_key <jsonfield.has_key>` lookup through
+the ``__`` syntax are unaffected.
diff --git a/docs/releases/5.1.4.txt b/docs/releases/5.1.4.txt
index 389952efa6..e768725688 100644
--- a/docs/releases/5.1.4.txt
+++ b/docs/releases/5.1.4.txt
@@ -23,6 +23,15 @@ Remember that absolutely NO guarantee is provided about the results of
 ``strip_tags()`` call without escaping it first, for example with
 :func:`django.utils.html.escape`.
 
+CVE-2024-53908: Potential SQL injection via ``HasKey(lhs, rhs)`` on Oracle
+==========================================================================
+
+Direct usage of the ``django.db.models.fields.json.HasKey`` lookup on Oracle
+was subject to SQL injection if untrusted data was used as a ``lhs`` value.
+
+Applications that use the :lookup:`has_key <jsonfield.has_key>` lookup through
+the ``__`` syntax are unaffected.
+
 Bugfixes
 ========
author	Simon Charette <charette.s@gmail.com>	2024-11-08 21:27:31 -0500
committer	Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>	2024-12-04 13:43:13 +0100
commit	8f8dc5a1fca7d076e749f307f6573af3512e7e99 (patch)
tree	a67db349f768eb36c7e932104ceb36e009b848f2 /docs
parent	49ff1042aa66bb25eda87e9a8ef82f3b0ad4eeba (diff)