CVE-2022-34265

Advisory

[This advisory has been limited. Please create a free account to view the full advisory.]

Affected package

Affected versions

[This affected versions has been limited. Please create a free account to view the full affected versions.]

Fixed versions

[This fixed versions has been limited. Please create a free account to view the full fixed versions.]

Vulnerability changelog

===========================

*July 4, 2022*

Django 3.2.14 fixes a security issue with severity "high" in 3.2.13.

CVE-2022-34265: Potential SQL injection via ``Trunc(kind)`` and ``Extract(lookup_name)`` arguments
==================================================================================================

:class:`Trunc() <django.db.models.functions.Trunc>` and
:class:`Extract() <django.db.models.functions.Extract>` database functions were
subject to SQL injection if untrusted data was used as a
``kind``/``lookup_name`` value.

Applications that constrain the lookup name and kind choice to a known safe
list are unaffected.


===========================

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34265
• https://www.djangoproject.com/weblog/2022/jul/04/security-releases/
• https://docs.djangoproject.com/en/4.0/releases/security/
• https://groups.google.com/forum/#!forum/django-announce
• https://security.netapp.com/advisory/ntap-20220818-0006/
• https://www.debian.org/security/2022/dsa-5254