VDB
BIT-django-2022-28346
BIT-django-2022-28346
PUBLISHED
CVSS 9.800000190734863 CRITICAL
An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs.
Risk Scores
CVSS v3.1
9.800000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bitnami | django | 2.2.0, 3.2.0, 4.0.0 |
Timeline
- Mar 6, 2024 CVE Published
- Apr 3, 2025 CVE Updated
- Apr 30, 2026 Distribution Patch
References
- http://www.openwall.com/lists/oss-security/2022/04/11/1 url
- https://docs.djangoproject.com/en/4.0/releases/security/ url
- https://groups.google.com/forum/#%21forum/django-announce url
- https://lists.debian.org/debian-lts-announce/2022/04/msg00013.html url
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/ url
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/ url
- https://security.netapp.com/advisory/ntap-20220609-0002/ url
- https://www.debian.org/security/2022/dsa-5254 url
- https://www.djangoproject.com/weblog/2022/apr/11/security-releases/ url
- https://nvd.nist.gov/vuln/detail/CVE-2022-28346 url