PYSEC-2022-190 — Vulnetix

PYSEC-2022-190 PUBLISHED CVSS 9.300000190734863 CRITICAL

An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs.

Risk Scores

CVSS v4.0

9.300000190734863

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Affected Products

Vendor	Product	Versions
PyPI	django	4.0, 3.2, 2.2

Timeline

Apr 12, 2022 CVE Published
Dec 6, 2023 CVE Updated

References

http://www.openwall.com/lists/oss-security/2022/04/11/1 url
https://docs.djangoproject.com/en/4.0/releases/security/ url
https://www.djangoproject.com/weblog/2022/apr/11/security-releases/ article
https://groups.google.com/forum/#!forum/django-announce url
https://github.com/advisories/GHSA-2gwj-7jmv-h26r advisory
https://lists.debian.org/debian-lts-announce/2022/04/msg00013.html advisory

Open in Interactive Console →