VDB
CVE-2022-28346
CVE-2022-28346
PUBLISHED
An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs.
EPSS 1.97% · 83.8th percentile
Risk Scores
EPSS Score
1.97%
83.8th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bitnami | django | 2.2.0, 4.0.0, 3.2.0 |
| Bitnami | django | 2.2.0, 3.2.0, 4.0.0 |
Timeline
- Apr 12, 2022 CVE Published
- Apr 12, 2022 EPSS Score
- Apr 26, 2022 EPSS Score
- Jun 10, 2022 EPSS Score
- Jul 22, 2022 EPSS Score
- Oct 16, 2022 EPSS Score
- Oct 31, 2022 EPSS Score
- Dec 20, 2022 EPSS Score
- Mar 7, 2023 EPSS Score
- Mar 30, 2023 EPSS Score
- May 20, 2023 EPSS Score
- Aug 28, 2023 EPSS Score
References
- http://www.openwall.com/lists/oss-security/2022/04/11/1 url
- https://docs.djangoproject.com/en/4.0/releases/security/ url
- https://groups.google.com/forum/#%21forum/django-announce url
- https://lists.debian.org/debian-lts-announce/2022/04/msg00013.html url
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/ url
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/ url
- https://security.netapp.com/advisory/ntap-20220609-0002/ url
- https://www.debian.org/security/2022/dsa-5254 url
- https://www.djangoproject.com/weblog/2022/apr/11/security-releases/ url
- https://nvd.nist.gov/vuln/detail/CVE-2022-28346 url