CVE-2022-34265
published 2022-07-04CVE-2022-34265: An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if…
PriorityP178critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
73.27%
99.4th percentile
An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | python-django | < python-django 2:4.0.6-1 (bookworm) | python-django 2:4.0.6-1 (bookworm) |
| djangoproject | django | >= 3.2 < 3.2.14 | 3.2.14 |
| djangoproject | django | >= 3.2a1 < 3.2.14 | 3.2.14 |
| djangoproject | django | >= 4.0 < 4.0.6 | 4.0.6 |
| djangoproject | django | >= 4.0a1 < 4.0.6 | 4.0.6 |
Detection & IOCsextracted from sources · hover to see the quote
sigma↗
matchers: word in body: 'syntax error at or near "{{rand_string}}"' AND 'LINE 1: SELECT DATE_TRUNC'; status: 500- →Detect HTTP 500 responses containing both 'syntax error at or near' and 'LINE 1: SELECT DATE_TRUNC' in the response body — this indicates a successful SQL injection probe against Django's Trunc()/Extract() functions. ↗
- →Fuzz query parameters with a value containing a single quote followed by random alpha characters (e.g. test'<random>) to trigger the SQL error in Django's Trunc()/Extract() kind/lookup_name path. ↗
- →The injection point is the kind/lookup_name value passed to Django's Trunc() or Extract() database functions when untrusted user input is used directly — monitor for SQL metacharacters (quotes, comment sequences '--') in parameters that map to date/time lookup fields. ↗
- →In CTF/PoC exploitation, attackers used PostgreSQL JSON operator '?' to bypass boolean-operator filters and achieve UNION-based data exfiltration — look for '::jsonb' and '?' operators in query parameters as a bypass indicator. ↗
- →Machine learning-based SQL injection detection is recommended as a complement to IPS signatures, since sqlmap and other tools can generate variants that evade static signatures for this CVE. ↗
- ·Applications that constrain the lookup_name/kind argument to a known safe allowlist are not vulnerable — the injection only occurs when untrusted user-controlled data is passed directly to Trunc() or Extract(). ↗
- ·Red Hat Satellite 6 ships affected python-django versions but is not exploitable because it does not invoke the vulnerable Trunc()/Extract() functions. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
python-django: Potential SQL injection via Trunc(kind) and Extract(lookup_name) arguments
vendor_redhat·2022-07-04·CVSS 9.8
CVE-2022-34265 [CRITICAL] CWE-89 python-django: Potential SQL injection via Trunc(kind) and Extract(lookup_name) arguments
python-django: Potential SQL injection via Trunc(kind) and Extract(lookup_name) arguments
An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.
A flaw was found in Django. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value.
Statement: Applications that constrain the lookup name and kind choice to a known safe list are unaffected.
Red Hat Satellite 6 versions include affected versions of python-django, however, the product is not vulnerable since it does not make use of
Ubuntu
Django vulnerability
vendor_ubuntu·2022-07-04
CVE-2022-34265 Django vulnerability
Title: Django vulnerability
Summary: Django could be made to expose sensitive information if it received
a specially crafted input.
It was discovered that Django incorrectly handled certain SQL.
An attacker could possibly use this issue to expose sensitive information.
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2022-34265: python-django - An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Tr...
vendor_debian·2022·CVSS 9.8
CVE-2022-34265 [CRITICAL] CVE-2022-34265: python-django - An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Tr...
An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.
Scope: local
bookworm: resolved (fixed in 2:4.0.6-1)
bullseye: resolved (fixed in 2:2.2.28-1~deb11u1)
forky: resolved (fixed in 2:4.0.6-1)
sid: resolved (fixed in 2:4.0.6-1)
trixie: resolved (fixed in 2:4.0.6-1)
OSV
Django `Trunc()` and `Extract()` database functions vulnerable to SQL Injection
osv·2022-07-05
CVE-2022-34265 [CRITICAL] Django `Trunc()` and `Extract()` database functions vulnerable to SQL Injection
Django `Trunc()` and `Extract()` database functions vulnerable to SQL Injection
An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The `Trunc()` and `Extract()` database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.
GHSA
Django `Trunc()` and `Extract()` database functions vulnerable to SQL Injection
ghsa·2022-07-05
CVE-2022-34265 [CRITICAL] CWE-89 Django `Trunc()` and `Extract()` database functions vulnerable to SQL Injection
Django `Trunc()` and `Extract()` database functions vulnerable to SQL Injection
An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The `Trunc()` and `Extract()` database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.
OSV
CVE-2022-34265: An issue was discovered in Django 3
osv·2022-07-04·CVSS 9.8
CVE-2022-34265 [CRITICAL] CVE-2022-34265: An issue was discovered in Django 3
An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.
No detection rules found.
Nuclei
Django - SQL injection
nuclei·CVSS 9.8
CVE-2022-34265 [CRITICAL] Django - SQL injection
Django - SQL injection
An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.
Template:
id: CVE-2022-34265
info:
name: Django - SQL injection
author: princechaddha
severity: critical
description: |
An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.
remediation: |
Upgrade Django to version 3.2.14 or 4.
CTF
exploit / writeup_en
ctf_writeups·2023·CVSS 9.8
[CRITICAL] exploit / writeup_en
# Libreria Pro
There is a service similar to **Libreria**, but the book purchase request UI has been removed and search options have been added.
The function itself is not complicated, but if we select `Pubdate:Year` and do not specify a value or value other than an integer form, an error page appears.
It can be seen that the service was implemented using the django framework and postgresql, and since it is running in **debug** mode, we can also find some code and local variables.
We can't find any points on the source code to attack because it's accessing the database using django's model, not directly writing the SQL query. However, the presence of `sqli_filters` in local variables tells there're some points for SQL injection attacks.
By googling with `django 4.0.5 sql injection`,
Unit42
Zero-Day Exploit Detection Using Machine Learning
blogs_unit42·2022-09-16
Zero-Day Exploit Detection Using Machine Learning
Threat Research Center
Threat Research
Vulnerabilities
## Zero-Day Exploit Detection Using Machine Learning
Jin Chen
Lei Xu
Andrew Guan
Zhibin Zhang
Yu Fu
Published: September 16, 2022
Threat Research
Vulnerabilities
Command injection
Deep learning
Machine Learning
Network security
SQL injection
Threat detection
Zero-days
## Executive Summary
Code injection is an attack technique widely used by threat actors to launch arbitrary code execution on victim machines through vulnerable applications. In 2021, the Open Web Application Security Project (OWASP) ranked it as third in the top 10 web application security risks .
Given the popularity of code injection in exploits, signatures with pattern matches are commonly used to identify the anomalies in network traffic (mos
Unit42
Zero-Day Exploit Detection Using Machine Learning
blogs_unit42·2022-09-16
Zero-Day Exploit Detection Using Machine Learning
## Executive Summary
Code injection is an attack technique widely used by threat actors to launch arbitrary code execution on victim machines through vulnerable applications. In 2021, the Open Web Application Security Project (OWASP) ranked it as third in the top 10 web application security risks.
Given the popularity of code injection in exploits, signatures with pattern matches are commonly used to identify the anomalies in network traffic (mostly URI path, header string, etc.). However, injections can happen in numerous forms, and a simple injection can easily evade a signature-based solution by adding extraneous strings. Therefore, signature-based solutions will often fail on the variants of the proof of concept (PoC) of Common Vulnerabilities and Exposures (CVEs). In this blog, we e
Checkpoint
11th July – Threat Intelligence Report
blogs_checkpoint·2022-07-11
CVE-2022-30190 11th July – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 11th July – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 11th July, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
An anonymous hacker identified as “ChinaDan” has claimed to have a stolen a database from the Shanghai National Police (SHGA) that includes sensitive data of 1 billion Chinese citizens, and offered to sell it for 10 bitcoins (approximately $200,000). He allegedly stole more than 22 terabytes of data including names, addresses,
https://docs.djangoproject.com/en/4.0/releases/security/https://groups.google.com/forum/#%21forum/django-announcehttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/https://security.netapp.com/advisory/ntap-20220818-0006/https://www.debian.org/security/2022/dsa-5254https://www.djangoproject.com/weblog/2022/jul/04/security-releases/https://docs.djangoproject.com/en/4.0/releases/security/https://groups.google.com/forum/#%21forum/django-announcehttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/https://security.netapp.com/advisory/ntap-20220818-0006/https://www.debian.org/security/2022/dsa-5254https://www.djangoproject.com/weblog/2022/jul/04/security-releases/
2022-07-04
Published