Home > Vulnerability Database > CVE-2022-28346

Mend.io Vulnerability Database

CVE-2022-28346

Good to know:

Date: April 11, 2022

An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs.

Language: Python

Severity Score

9.8

Related Resources (25)

Url: https://docs.djangoproject.com/en/4.0/releases/security

Url: https://security.netapp.com/advisory/ntap-20220609-0002/

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/

Url: https://github.com/django/django/commit/2c09e68ec911919360d5f8502cefc312f9e03c5d

Url: https://security-tracker.debian.org/tracker/CVE-2022-28346

Url: https://security.netapp.com/advisory/ntap-20220609-0002

Url: https://lists.debian.org/debian-lts-announce/2022/04/msg00013.html

Url: https://github.com/django/django/commit/800828887a0509ad1162d6d407e94d8de7eafc60

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-28346

Url: https://github.com/django/django

Url: https://github.com/django/django/commit/2044dac5c6968441be6f534c4139bcf48c5c7e48

Url: https://www.djangoproject.com/weblog/2022/apr/11/security-releases

Url: https://docs.djangoproject.com/en/4.0/releases/security/

Url: https://github.com/django/django/commit/93cae5cb2f9a4ef1514cf1a41f714fef08005200

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/

Url: https://www.djangoproject.com/weblog/2022/apr/11/security-releases/

Url: https://groups.google.com/forum/#!forum/django-announce

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI

Url: https://groups.google.com/forum/#%21forum/django-announce

Url: https://github.com/advisories/GHSA-2gwj-7jmv-h26r

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK

Url: https://www.debian.org/security/2022/dsa-5254

Url: https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2022-190.yaml

Url: http://www.openwall.com/lists/oss-security/2022/04/11/1

Url: https://www.mend.io/vulnerability-database/CVE-2022-28346

Severity Score

9.8

Weakness Type (CWE)

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CWE-89

Top Fix

Upgrade Version

Upgrade to version django - 2.2.28;django - 3.2.13;django - 4.0.4

Learn More

CVSS v3.1

Base Score:	9.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

CVSS v2

Base Score:	7.5
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	PARTIAL
Availability (A):	PARTIAL
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2022-28346

Good to know:

Date: April 11, 2022

Language: Python

Severity Score

Related Resources (25)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?