A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the **options argument, and placing the injection payload in an option name.
References
Configurations
History
28 Apr 2023, 05:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
28 Apr 2023, 04:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
08 Nov 2022, 02:21
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* | |
References | (DEBIAN) https://www.debian.org/security/2022/dsa-5254 - Third Party Advisory |
16 Oct 2022, 00:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
19 Apr 2022, 15:49
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:* | |
CVSS |
v2 : v3 : |
v2 : 7.5
v3 : 9.8 |
References | (MISC) https://docs.djangoproject.com/en/4.0/releases/security/ - Patch, Vendor Advisory | |
References | (MISC) https://groups.google.com/forum/#!forum/django-announce - Mailing List, Third Party Advisory | |
References | (MISC) http://www.openwall.com/lists/oss-security/2022/04/11/1 - Mailing List, Patch, Third Party Advisory | |
References | (MISC) https://www.djangoproject.com/weblog/2022/apr/11/security-releases/ - Patch, Vendor Advisory | |
CWE | CWE-89 |
12 Apr 2022, 09:07
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-04-12 05:15
Updated : 2024-02-04 22:29
NVD link : CVE-2022-28347
Mitre link : CVE-2022-28347
CVE.ORG link : CVE-2022-28347
JSON object : View
Products Affected
debian
- debian_linux
djangoproject
- django
CWE
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')