CVE-2022-28347

Advisory

[This advisory has been limited. Please create a free account to view the full advisory.]

Affected package

Affected versions

[This affected versions has been limited. Please create a free account to view the full affected versions.]

Fixed versions

[This fixed versions has been limited. Please create a free account to view the full fixed versions.]

Vulnerability changelog

===========================

*April 11, 2022*

Django 3.2.13 fixes two security issues with severity "high" in
3.2.12 and a regression in 3.2.4.

CVE-2022-28346: Potential SQL injection in ``QuerySet.annotate()``, ``aggregate()``, and ``extra()``
====================================================================================================

:meth:`.QuerySet.annotate`, :meth:`~.QuerySet.aggregate`, and
:meth:`~.QuerySet.extra` methods were subject to SQL injection in column
aliases, using a suitably crafted dictionary, with dictionary expansion, as the
``**kwargs`` passed to these methods.

CVE-2022-28347: Potential SQL injection via ``QuerySet.explain(**options)`` on PostgreSQL
=========================================================================================

:meth:`.QuerySet.explain` method was subject to SQL injection in option names,
using a suitably crafted dictionary, with dictionary expansion, as the
``**options`` argument.

Bugfixes
========

* Fixed a regression in Django 3.2.4 that caused the auto-reloader to no longer
detect changes when the ``DIRS`` option of the ``TEMPLATES`` setting
contained an empty string (:ticket:`33628`).


===========================

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28347
• http://www.openwall.com/lists/oss-security/2022/04/11/1
• https://docs.djangoproject.com/en/4.0/releases/security/
• https://www.djangoproject.com/weblog/2022/apr/11/security-releases/
• https://groups.google.com/forum/#!forum/django-announce
• https://www.debian.org/security/2022/dsa-5254