summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
Diffstat (limited to 'docs')
-rw-r--r--docs/releases/4.2.15.txt7
-rw-r--r--docs/releases/5.0.8.txt7
2 files changed, 14 insertions, 0 deletions
diff --git a/docs/releases/4.2.15.txt b/docs/releases/4.2.15.txt
index 1c6a1c7ede..b1d4684596 100644
--- a/docs/releases/4.2.15.txt
+++ b/docs/releases/4.2.15.txt
@@ -30,6 +30,13 @@ CVE-2024-41991: Potential denial-of-service vulnerability in ``django.utils.html
subject to a potential denial-of-service attack via certain inputs with a very
large number of Unicode characters.
+CVE-2024-42005: Potential SQL injection in ``QuerySet.values()`` and ``values_list()``
+======================================================================================
+
+:meth:`.QuerySet.values` and :meth:`~.QuerySet.values_list` methods on models
+with a ``JSONField`` were subject to SQL injection in column aliases, via a
+crafted JSON object key as a passed ``*arg``.
+
Bugfixes
========
diff --git a/docs/releases/5.0.8.txt b/docs/releases/5.0.8.txt
index 2a0823d0ca..37f51f71c7 100644
--- a/docs/releases/5.0.8.txt
+++ b/docs/releases/5.0.8.txt
@@ -30,6 +30,13 @@ CVE-2024-41991: Potential denial-of-service vulnerability in ``django.utils.html
subject to a potential denial-of-service attack via certain inputs with a very
large number of Unicode characters.
+CVE-2024-42005: Potential SQL injection in ``QuerySet.values()`` and ``values_list()``
+======================================================================================
+
+:meth:`.QuerySet.values` and :meth:`~.QuerySet.values_list` methods on models
+with a ``JSONField`` were subject to SQL injection in column aliases, via a
+crafted JSON object key as a passed ``*arg``.
+
Bugfixes
========
generated by cgit v1.3 (git 2.53.0) at 2026-05-02 06:03:40 +0000