CVE-2022-28346
published 2022-04-12CVE-2022-28346: An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject…
PriorityP265critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
18.66%
96.9th percentile
An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | python-django | < python-django 2:3.2.13-1 (bookworm) | python-django 2:3.2.13-1 (bookworm) |
| djangoproject | django | >= 2.2 < 2.2.28 | 2.2.28 |
| djangoproject | django | >= 2.2 < 2.2.28 | 2.2.28 |
| djangoproject | django | >= 3.2 < 3.2.13 | 3.2.13 |
| djangoproject | django | >= 3.2 < 3.2.13 | 3.2.13 |
| djangoproject | django | >= 4.0 < 4.0.4 | 4.0.4 |
| djangoproject | django | >= 4.0 < 4.0.4 | 4.0.4 |
Detection & IOCsextracted from sources · hover to see the quote
- →SQL injection via crafted dictionary (with dictionary expansion) passed as **kwargs to QuerySet.annotate(), aggregate(), or extra() methods — target column aliases in the generated SQL ↗
- →Monitor Django application logs and database query logs for anomalous or malformed column alias strings in SQL generated by annotate(), aggregate(), or extra() calls ↗
- →An attacker uses a crafted dictionary containing malicious SQL queries — inspect kwargs passed to QuerySet methods for unexpected SQL metacharacters or subqueries in key names ↗
- ·Affected Django versions: 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. Fixed versions are 2.2.28, 3.2.13, and 4.0.4 respectively. ↗
- ·Red Hat OpenStack ships the affected Django version but is not exposed because the vulnerable code paths are not used by the product. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
SQL Injection in Django
ghsa·2022-04-13
CVE-2022-28346 [CRITICAL] CWE-89 SQL Injection in Django
SQL Injection in Django
An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. `QuerySet.annotate()`, `aggregate()`, and `extra()` methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed `**kwargs`.
OSV
SQL Injection in Django
osv·2022-04-13
CVE-2022-28346 [CRITICAL] SQL Injection in Django
SQL Injection in Django
An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. `QuerySet.annotate()`, `aggregate()`, and `extra()` methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed `**kwargs`.
OSV
CVE-2022-28346: An issue was discovered in Django 2
osv·2022-04-12·CVSS 9.8
CVE-2022-28346 [CRITICAL] CVE-2022-28346: An issue was discovered in Django 2
An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs.
OSV
python-django vulnerabilities
osv·2022-04-11·CVSS 6.1
CVE-2022-28346 [MEDIUM] python-django vulnerabilities
python-django vulnerabilities
It was discovered that Django incorrectly handled certain certain column
aliases in the QuerySet.annotate(), aggregate(), and extra() methods. A
remote attacker could possibly use this issue to perform an SQL injection
attack. (CVE-2022-28346)
It was discovered that Django incorrectly handled certain option names in
the QuerySet.explain() method. A remote attacker could possibly use this
issue to perform an SQL injection attack. This issue only affected Ubuntu
20.04 LTS, and Ubuntu 21.10. (CVE-2022-28347)
It was discovered that the Django URLValidator function incorrectly handled
newlines and tabs. A remote attacker could possibly use this issue to
perform a header injection attack. This issue only affected Ubuntu 18.04
LTS. (CVE-2021-32052)
OSV
python-django vulnerabilities
osv·2022-04-11·CVSS 6.1
CVE-2022-28346 [MEDIUM] python-django vulnerabilities
python-django vulnerabilities
USN-5373-1 fixed several vulnerabilities in Django. This update provides
the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM.
Original advisory details:
It was discovered that Django incorrectly handled certain certain column
aliases in the QuerySet.annotate(), aggregate(), and extra() methods. A
remote attacker could possibly use this issue to perform an SQL injection
attack. (CVE-2022-28346)
It was discovered that the Django URLValidator function incorrectly handled
newlines and tabs. A remote attacker could possibly use this issue to
perform a header injection attack. (CVE-2021-32052)
Ubuntu
Django vulnerabilities
vendor_ubuntu·2022-04-11·CVSS 6.1
CVE-2022-28346 [MEDIUM] Django vulnerabilities
Title: Django vulnerabilities
Summary: Several security issues were fixed in Django.
It was discovered that Django incorrectly handled certain certain column
aliases in the QuerySet.annotate(), aggregate(), and extra() methods. A
remote attacker could possibly use this issue to perform an SQL injection
attack. (CVE-2022-28346)
It was discovered that Django incorrectly handled certain option names in
the QuerySet.explain() method. A remote attacker could possibly use this
issue to perform an SQL injection attack. This issue only affected Ubuntu
20.04 LTS, and Ubuntu 21.10. (CVE-2022-28347)
It was discovered that the Django URLValidator function incorrectly handled
newlines and tabs. A remote attacker could possibly use this issue to
perform a header injection attack. This issue only aff
Red Hat
Django: SQL injection in QuerySet.annotate(),aggregate() and extra()
vendor_redhat·2022-04-11·CVSS 9.8
CVE-2022-28346 [CRITICAL] CWE-89 Django: SQL injection in QuerySet.annotate(),aggregate() and extra()
Django: SQL injection in QuerySet.annotate(),aggregate() and extra()
An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs.
A flaw was found in the Django package, which leads to a SQL injection. This flaw allows an attacker using a crafted dictionary containing malicious SQL queries to compromise the database completely.
Statement: Red Hat OpenStack does ship the affected version of Django, however, vulnerability is not exposed in the product as it does not make use of vulnerable code. We may update Django in a future release of OpenStack.
Package: graphite-web (Red Hat C
Ubuntu
Django vulnerabilities
vendor_ubuntu·2022-04-11·CVSS 6.1
CVE-2021-32052 [MEDIUM] Django vulnerabilities
Title: Django vulnerabilities
Summary: Several security issues were fixed in Django.
USN-5373-1 fixed several vulnerabilities in Django. This update provides
the corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM.
Original advisory details:
It was discovered that Django incorrectly handled certain certain column
aliases in the QuerySet.annotate(), aggregate(), and extra() methods. A
remote attacker could possibly use this issue to perform an SQL injection
attack. (CVE-2022-28346)
It was discovered that the Django URLValidator function incorrectly handled
newlines and tabs. A remote attacker could possibly use this issue to
perform a header injection attack. (CVE-2021-32052)
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2022-28346: python-django - An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 ...
vendor_debian·2022·CVSS 9.8
CVE-2022-28346 [CRITICAL] CVE-2022-28346: python-django - An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 ...
An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs.
Scope: local
bookworm: resolved (fixed in 2:3.2.13-1)
bullseye: resolved (fixed in 2:2.2.28-1~deb11u1)
forky: resolved (fixed in 2:3.2.13-1)
sid: resolved (fixed in 2:3.2.13-1)
trixie: resolved (fixed in 2:3.2.13-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://www.openwall.com/lists/oss-security/2022/04/11/1https://docs.djangoproject.com/en/4.0/releases/security/https://groups.google.com/forum/#%21forum/django-announcehttps://lists.debian.org/debian-lts-announce/2022/04/msg00013.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/https://security.netapp.com/advisory/ntap-20220609-0002/https://www.debian.org/security/2022/dsa-5254https://www.djangoproject.com/weblog/2022/apr/11/security-releases/http://www.openwall.com/lists/oss-security/2022/04/11/1https://docs.djangoproject.com/en/4.0/releases/security/https://groups.google.com/forum/#%21forum/django-announcehttps://lists.debian.org/debian-lts-announce/2022/04/msg00013.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/https://security.netapp.com/advisory/ntap-20220609-0002/https://www.debian.org/security/2022/dsa-5254https://www.djangoproject.com/weblog/2022/apr/11/security-releases/
2022-04-12
Published