CVE-2022-28347
published 2022-04-12CVE-2022-28347: A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a…
PriorityP355critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.92%
85.3th percentile
A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the **options argument, and placing the injection payload in an option name.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | python-django | < python-django 2:3.2.13-1 (bookworm) | python-django 2:3.2.13-1 (bookworm) |
| djangoproject | django | >= 2.2 < 2.2.28 | 2.2.28 |
| djangoproject | django | >= 2.2 < 2.2.28 | 2.2.28 |
| djangoproject | django | >= 3.2 < 3.2.13 | 3.2.13 |
| djangoproject | django | >= 3.2 < 3.2.13 | 3.2.13 |
| djangoproject | django | >= 4.0 < 4.0.4 | 4.0.4 |
| djangoproject | django | >= 4.0 < 4.0.4 | 4.0.4 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
SQL Injection in Django
osv·2022-04-13
CVE-2022-28347 [CRITICAL] SQL Injection in Django
SQL Injection in Django
A SQL injection issue was discovered in `QuerySet.explain()` in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the `**options` argument, and placing the injection payload in an option name.
GHSA
SQL Injection in Django
ghsa·2022-04-13
CVE-2022-28347 [CRITICAL] CWE-89 SQL Injection in Django
SQL Injection in Django
A SQL injection issue was discovered in `QuerySet.explain()` in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the `**options` argument, and placing the injection payload in an option name.
OSV
CVE-2022-28347: A SQL injection issue was discovered in QuerySet
osv·2022-04-12·CVSS 9.8
CVE-2022-28347 [CRITICAL] CVE-2022-28347: A SQL injection issue was discovered in QuerySet
A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the **options argument, and placing the injection payload in an option name.
OSV
python-django vulnerabilities
osv·2022-04-11·CVSS 6.1
CVE-2022-28346 [MEDIUM] python-django vulnerabilities
python-django vulnerabilities
It was discovered that Django incorrectly handled certain certain column
aliases in the QuerySet.annotate(), aggregate(), and extra() methods. A
remote attacker could possibly use this issue to perform an SQL injection
attack. (CVE-2022-28346)
It was discovered that Django incorrectly handled certain option names in
the QuerySet.explain() method. A remote attacker could possibly use this
issue to perform an SQL injection attack. This issue only affected Ubuntu
20.04 LTS, and Ubuntu 21.10. (CVE-2022-28347)
It was discovered that the Django URLValidator function incorrectly handled
newlines and tabs. A remote attacker could possibly use this issue to
perform a header injection attack. This issue only affected Ubuntu 18.04
LTS. (CVE-2021-32052)
Ubuntu
Django vulnerabilities
vendor_ubuntu·2022-04-11·CVSS 6.1
CVE-2022-28346 [MEDIUM] Django vulnerabilities
Title: Django vulnerabilities
Summary: Several security issues were fixed in Django.
It was discovered that Django incorrectly handled certain certain column
aliases in the QuerySet.annotate(), aggregate(), and extra() methods. A
remote attacker could possibly use this issue to perform an SQL injection
attack. (CVE-2022-28346)
It was discovered that Django incorrectly handled certain option names in
the QuerySet.explain() method. A remote attacker could possibly use this
issue to perform an SQL injection attack. This issue only affected Ubuntu
20.04 LTS, and Ubuntu 21.10. (CVE-2022-28347)
It was discovered that the Django URLValidator function incorrectly handled
newlines and tabs. A remote attacker could possibly use this issue to
perform a header injection attack. This issue only aff
Red Hat
Django: SQL injection via QuerySet.explain(options) on PostgreSQL
vendor_redhat·2022-04-11·CVSS 9.8
CVE-2022-28347 [CRITICAL] CWE-89 Django: SQL injection via QuerySet.explain(options) on PostgreSQL
Django: SQL injection via QuerySet.explain(options) on PostgreSQL
A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the **options argument, and placing the injection payload in an option name.
A flaw was found in the Django package, leading to a SQL injection. This flaw allows an attacker using a crafted dictionary containing malicious SQL queries to compromise the database completely.
Statement: Red Hat OpenStack does ship the affected version of Django. However, the product is not vulnerable since it does not implement the vulnerable method QuerySet.explain() introduced in Django 2.1.x onward.
Package: graphite-web (Red Hat Ceph Sto
Debian
CVE-2022-28347: python-django - A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before ...
vendor_debian·2022·CVSS 9.8
CVE-2022-28347 [CRITICAL] CVE-2022-28347: python-django - A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before ...
A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the **options argument, and placing the injection payload in an option name.
Scope: local
bookworm: resolved (fixed in 2:3.2.13-1)
bullseye: resolved (fixed in 2:2.2.28-1~deb11u1)
forky: resolved (fixed in 2:3.2.13-1)
sid: resolved (fixed in 2:3.2.13-1)
trixie: resolved (fixed in 2:3.2.13-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://www.openwall.com/lists/oss-security/2022/04/11/1https://docs.djangoproject.com/en/4.0/releases/security/https://groups.google.com/forum/#%21forum/django-announcehttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/https://www.debian.org/security/2022/dsa-5254https://www.djangoproject.com/weblog/2022/apr/11/security-releases/http://www.openwall.com/lists/oss-security/2022/04/11/1https://docs.djangoproject.com/en/4.0/releases/security/https://groups.google.com/forum/#%21forum/django-announcehttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/https://www.debian.org/security/2022/dsa-5254https://www.djangoproject.com/weblog/2022/apr/11/security-releases/
2022-04-12
Published