Vulnerability

CVE-2022-34265

 Report advisory or correction

CVSS Score 9.8 critical

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-89

References

https://docs.djangoproject.com/en/dev/releases/3.2.14/
https://docs.djangoproject.com/en/dev/releases/4.0.6/
https://www.djangoproject.com/weblog/2022/jul/04/security-releases/
https://bugzilla.redhat.com/show_bug.cgi?id=2102896
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-34265

[CVE-2022-34265] CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Description

An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.

Deviation Notice:
Sonatype's research suggests that this CVE's details differ from those defined at NVD or other reporting sources; sign in for details.

Sign up and see:

Detailed deviation notices:
  • Detailed deviations
  • References
  • Custom Descriptions [Coming Soon]
Sign Up