Vulnerability Details : CVE-2022-28347
A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the **options argument, and placing the injection payload in an option name.
Vulnerability category: Sql Injection
Products affected by CVE-2022-28347
- cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-28347
0.41%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 59 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-28347
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2022-28347
-
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-28347
-
https://www.djangoproject.com/weblog/2022/apr/11/security-releases/
Django security releases issued: 4.0.4, 3.2.13, and 2.2.28 | Weblog | DjangoPatch;Vendor Advisory
-
http://www.openwall.com/lists/oss-security/2022/04/11/1
oss-security - Django: CVE-2022-28346: Potential SQL injection in ``QuerySet.annotate()``, ``aggregate()``, and ``extra()``Mailing List;Patch;Third Party Advisory
-
https://www.debian.org/security/2022/dsa-5254
Debian -- Security Information -- DSA-5254-1 python-djangoThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/
[SECURITY] Fedora 37 Update: python-django-4.0.10-1.fc37 - package-announce - Fedora Mailing-Lists
-
https://docs.djangoproject.com/en/4.0/releases/security/
Archive of security issues | Django documentation | DjangoPatch;Vendor Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/
[SECURITY] Fedora 38 Update: python-django-4.0.10-1.fc38 - package-announce - Fedora Mailing-Lists
-
https://groups.google.com/forum/#!forum/django-announce
django-announce - Google GroupsMailing List;Third Party Advisory
Jump to