oss-sec mailing list archives
Django: CVE-2022-28346: Potential SQL injection in ``QuerySet.annotate()``, ``aggregate()``, and ``extra()``
From: Mariusz Felisiak <felisiak.mariusz () gmail com>
Date: Mon, 11 Apr 2022 10:02:56 +0200
https://www.djangoproject.com/weblog/2022/apr/11/security-releases/ In accordance with `our security release policy<https://docs.djangoproject.com/en/dev/internals/security/>`_, the Django team
is issuing `Django 4.0.4 <https://docs.djangoproject.com/en/dev/releases/4.0.4/>`_,`Django 3.2.13 <https://docs.djangoproject.com/en/dev/releases/3.2.13/>`_, and
`Django 2.2.28 <https://docs.djangoproject.com/en/dev/releases/2.2.28/>`_. These release addresses the security issues detailed below. We encourage all users of Django to upgrade as soon as possible.CVE-2022-28346: Potential SQL injection in ``QuerySet.annotate()``, ``aggregate()``, and ``extra()``
====================================================================================================``QuerySet.annotate()``, ``aggregate()``, and ``extra()`` methods were subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the
``**kwargs`` passed to these methods.Thanks Splunk team: Preston Elder, Jacob Davis, Jacob Moore, Matt Hanson, David Briggs, and a security researcher: Danylo Dmytriiev (DDV_UA) for the report.
This issue has severity "high" according to the Django security policy. Affected supported versions =========================== * Django main branch * Django 4.0 * Django 3.2 * Django 2.2 Resolution ==========Patches to resolve the issue have been applied to Django's main branch and to
the 4.0, 3.2, and 2.2 release branches. The patches may be obtained from the following changesets.* On the `main branch <https://github.com/django/django/commit/93cae5cb2f9a4ef1514cf1a41f714fef08005200>`__ * On the `4.0 release branch <https://github.com/django/django/commit/800828887a0509ad1162d6d407e94d8de7eafc60>`__ * On the `3.2 release branch <https://github.com/django/django/commit/2044dac5c6968441be6f534c4139bcf48c5c7e48>`__ * On the `2.2 release branch <https://github.com/django/django/commit/2c09e68ec911919360d5f8502cefc312f9e03c5d>`__
The following releases have been issued:* Django 4.0.4 (`download Django 4.0.4 <https://www.djangoproject.com/m/releases/4.0/Django-4.0.4.tar.gz>`_ | `4.0.4 checksums <https://www.djangoproject.com/m/pgp/Django-4.0.4.checksum.txt>`_) * Django 3.2.13 (`download Django 3.2.13 <https://www.djangoproject.com/m/releases/3.2/Django-3.2.13.tar.gz>`_ | `3.2.13 checksums <https://www.djangoproject.com/m/pgp/Django-3.2.13.checksum.txt>`_) * Django 2.2.28 (`download Django 2.2.28 <https://www.djangoproject.com/m/releases/2.2/Django-2.2.28.tar.gz>`_ | `2.2.28 checksums <https://www.djangoproject.com/m/pgp/Django-2.2.28.checksum.txt>`_)
The PGP key ID used for this release is Mariusz Felisiak: `2EF56372BA48CD1B <https://github.com/felixxm.gpg>`_.
General notes regarding security reporting ========================================== As always, we ask that potential security issues be reported via private email to ``security () djangoproject com``, and not via Django's Trac instance or the django-developers list. Please see `our security policies <https://www.djangoproject.com/security/>`_ for further information.
Current thread:
- Django: CVE-2022-28346: Potential SQL injection in ``QuerySet.annotate()``, ``aggregate()``, and ``extra()`` Mariusz Felisiak (Apr 11)