CVE-2022-34265

An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.

Published: Jul 4, 2022
Updated: Apr 29, 2023
CVE: CVE-2022-34265
GHSA: GHSA-p64x-8rxx-wf6q
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: High
Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

CWEs:

CWE-89

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
djangoproject / django	4.0	4.0.6
djangoproject / django	3.2	3.2.14
Django	3.2	3.2.14
Django	4.0	4.0.6

https://docs.djangoproject.com/en/4.0/releases/security/
https://github.com/django/django/commit/5e2f4ddf2940704a26a4ac782b851989668d74db
https://github.com/django/django/commit/877c800f255ccaa7abde1fb944de45d1616f5cc9
https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2022-213.yaml
https://groups.google.com/forum/#!forum/django-announce
https://groups.google.com/forum/#%21forum/django-announce
https://lists.fedoraproject.org/archives/list/[email protected]/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/
https://lists.fedoraproject.org/archives/list/[email protected]/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/
https://security.netapp.com/advisory/ntap-20220818-0006/
https://www.debian.org/security/2022/dsa-5254
https://www.djangoproject.com/weblog/2022/jul/04/security-releases/

Vulnerability Database

289,599

CVE-2022-34265