Eyal Gabay

**Name of the Vulnerable Software and Affected Versions** Django versions prior to 4.2.24 Django versions prior to 5.1.12 Django versions prior to 5.2.6 **Description** An issue was discovered in Django’s FilteredRelation feature, leading to SQL injection in column aliases when using a crafted dictionary with dictionary expansion as the `**kwargs` passed to `QuerySet.annotate()` or `QuerySet.alias()`. This vulnerability allows attackers to potentially manipulate queries and access sensitive data. Approximately 8.4 million services are estimated to be affected yearly. **Recommendations** Django versions prior to 4.2.24: Upgrade to version 4.2.24 or later. Django versions prior to 5.1.12: Upgrade to version 5.1.12 or later. Django versions prior to 5.2.6: Upgrade to version 5.2.6 or later.

**Name of the Vulnerable Software and Affected Versions** Django versions 4.2 through 4.2.14 Django versions 5.0 through 5.0.7 **Description** The issue is related to SQL injection in the QuerySet.values() and values list() methods on models with a JSONField. This vulnerability can be exploited by passing a crafted JSON object key as an argument, allowing an attacker to execute arbitrary SQL queries. The estimated number of potentially affected devices worldwide is over 5.4 million services. **Recommendations** For Django versions 4.2 through 4.2.14, upgrade to Django 4.2.15. For Django versions 5.0 through 5.0.7, upgrade to Django 5.0.8. As a temporary workaround, consider restricting the use of the QuerySet.values() and values list() methods on models with a JSONField until a patch is available.