Published on July 06, 2022
The potential SQL Injection vulnerability has been tracked as CVE-2022-34265, and exists in Django’s main branch, versions 4.1 (currently in beta), 4.0, and 3.2. The vulnerability has been squashed in today’s patches and releases.
The Model-Template-View framework Django is used by thousands of websites, including some popular brands in the U.S. alone. Django instances must be upgraded or patched against bugs like these to avoid being affected by these.
A high-severity SQL injection vulnerability has been addressed in versions 4.0.6 and Django 3.2.14, and the Django team urges developers to update or patch their Django instances as soon as possible.
Through arguments passed to Trunc(kind) and Extract(lookup_name), the vulnerability could allow threat actors to attack Django web applications.
An advisory warns that untrusted data used for kind/lookup_name values could be injected via the Trunc() and Extract() database functions.
Lookup names and kind choices that are constrained to a known safe list are not affected.
Essentially, your application isn’t vulnerable if it sanitizes or escapes the arguments before passing them to Trunc and Extract.
An eye security researcher Takuto Yoshikai was credited with responsibly reporting the vulnerability.
