cbcvebase.
CVE-2022-28346
published 2022-04-12

CVE-2022-28346: An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject…

PriorityP265critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
18.66%
96.9th percentile
An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs.

Affected

9 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
debianpython-django< python-django 2:3.2.13-1 (bookworm)python-django 2:3.2.13-1 (bookworm)
djangoprojectdjango>= 2.2 < 2.2.282.2.28
djangoprojectdjango>= 2.2 < 2.2.282.2.28
djangoprojectdjango>= 3.2 < 3.2.133.2.13
djangoprojectdjango>= 3.2 < 3.2.133.2.13
djangoprojectdjango>= 4.0 < 4.0.44.0.4
djangoprojectdjango>= 4.0 < 4.0.44.0.4

Detection & IOCsextracted from sources · hover to see the quote

  • SQL injection via crafted dictionary (with dictionary expansion) passed as **kwargs to QuerySet.annotate(), aggregate(), or extra() methods — target column aliases in the generated SQL
  • Monitor Django application logs and database query logs for anomalous or malformed column alias strings in SQL generated by annotate(), aggregate(), or extra() calls
  • An attacker uses a crafted dictionary containing malicious SQL queries — inspect kwargs passed to QuerySet methods for unexpected SQL metacharacters or subqueries in key names
  • ·Affected Django versions: 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. Fixed versions are 2.2.28, 3.2.13, and 4.0.4 respectively.
  • ·Red Hat OpenStack ships the affected Django version but is not exposed because the vulnerable code paths are not used by the product.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu6.1MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.