CVE-2022-28346

An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs.

Published: Apr 12, 2022
Updated: Apr 29, 2023
CVE: CVE-2022-28346
GHSA: GHSA-2gwj-7jmv-h26r
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: High
Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

CWEs:

CWE-89

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
djangoproject / django	4.0	4.0.4
djangoproject / django	3.2	3.2.13
djangoproject / django	2.2	2.2.28
debian / debian_linux	9.0	9.0.x
debian / debian_linux	11.0	11.0.x
Django	2.2	2.2.28
Django	3.2	3.2.13
Django	4.0	4.0.4

http://www.openwall.com/lists/oss-security/2022/04/11/1
https://docs.djangoproject.com/en/4.0/releases/security/
https://github.com/django/django/commit/93cae5cb2f9a4ef1514cf1a41f714fef08005200
https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2022-190.yaml
https://groups.google.com/forum/#!forum/django-announce
https://groups.google.com/forum/#%21forum/django-announce
https://lists.debian.org/debian-lts-announce/2022/04/msg00013.html
https://lists.fedoraproject.org/archives/list/[email protected]/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/
https://lists.fedoraproject.org/archives/list/[email protected]/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/
https://security.netapp.com/advisory/ntap-20220609-0002/
https://www.debian.org/security/2022/dsa-5254
https://www.djangoproject.com/weblog/2022/apr/11/security-releases/

Vulnerability Database

289,599

CVE-2022-28346