cbcvebase.
CVE-2022-34265
published 2022-07-04

CVE-2022-34265: An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if…

PriorityP178critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
73.27%
99.4th percentile
An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.

Affected

5 ranges
VendorProductVersion rangeFixed in
debianpython-django< python-django 2:4.0.6-1 (bookworm)python-django 2:4.0.6-1 (bookworm)
djangoprojectdjango>= 3.2 < 3.2.143.2.14
djangoprojectdjango>= 3.2a1 < 3.2.143.2.14
djangoprojectdjango>= 4.0 < 4.0.64.0.6
djangoprojectdjango>= 4.0a1 < 4.0.64.0.6

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://github.com/vulhub/vulhub/tree/master/django/CVE-2022-34265
urlhttps://github.com/aeyesec/CVE-2022-34265
sigma
matchers: word in body: 'syntax error at or near "{{rand_string}}"' AND 'LINE 1: SELECT DATE_TRUNC'; status: 500
  • Detect HTTP 500 responses containing both 'syntax error at or near' and 'LINE 1: SELECT DATE_TRUNC' in the response body — this indicates a successful SQL injection probe against Django's Trunc()/Extract() functions.
  • Fuzz query parameters with a value containing a single quote followed by random alpha characters (e.g. test'<random>) to trigger the SQL error in Django's Trunc()/Extract() kind/lookup_name path.
  • The injection point is the kind/lookup_name value passed to Django's Trunc() or Extract() database functions when untrusted user input is used directly — monitor for SQL metacharacters (quotes, comment sequences '--') in parameters that map to date/time lookup fields.
  • In CTF/PoC exploitation, attackers used PostgreSQL JSON operator '?' to bypass boolean-operator filters and achieve UNION-based data exfiltration — look for '::jsonb' and '?' operators in query parameters as a bypass indicator.
  • Machine learning-based SQL injection detection is recommended as a complement to IPS signatures, since sqlmap and other tools can generate variants that evade static signatures for this CVE.
  • ·Applications that constrain the lookup_name/kind argument to a known safe allowlist are not vulnerable — the injection only occurs when untrusted user-controlled data is passed directly to Trunc() or Extract().
  • ·Red Hat Satellite 6 ships affected python-django versions but is not exploitable because it does not invoke the vulnerable Trunc()/Extract() functions.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.