Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2022-34265SQL Injection in Django

CWE-89SQL Injection9 documents8 sources
Severity
9.8CRITICALNVD
EPSS
92.8%
top 0.24%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Djangoproject Django
Timeline
PublishedJul 4
Latest updateJul 5

Description

An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

NVDdjangoproject/django3.23.2.14+1
PyPIdjangoproject/django3.2a13.2.14+1

Patches

Patch: docs.djangoproject.comPatch: www.djangoproject.comPatch: docs.djangoproject.com

🔴Vulnerability Details

4
OSV
Django `Trunc()` and `Extract()` database functions vulnerable to SQL Injection2022-07-05
GHSA
Django `Trunc()` and `Extract()` database functions vulnerable to SQL Injection2022-07-05
CVEList
CVE-2022-34265: An issue was discovered in Django 32022-07-04
OSV
CVE-2022-34265: An issue was discovered in Django 32022-07-04

💥Exploits & PoCs

1
Nuclei
Django - SQL injection

📋Vendor Advisories

3
Red Hat
python-django: Potential SQL injection via Trunc(kind) and Extract(lookup_name) arguments2022-07-04
Ubuntu
Django vulnerability2022-07-04
Debian
CVE-2022-34265: python-django - An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Tr...2022
CVE-2022-34265 — SQL Injection in Djangoproject Django | cvebase