The potential SQL Injection vulnerability has been tracked as CVE-2022-34265, and exists in Django’s main branch, versions 4.1 (currently in beta), 4.0, and 3.2. The vulnerability has been squashed in today’s patches and releases.
The Model-Template-View framework Django is used by thousands of websites, including some popular brands in the U.S. alone. Django instances must be upgraded or patched against bugs like these to avoid being affected by these.
A high-severity SQL injection vulnerability has been addressed in versions 4.0.6 and Django 3.2.14, and the Django team urges developers to update or patch their Django instances as soon as possible.
Through arguments passed to Trunc(kind) and Extract(lookup_name), the vulnerability could allow threat actors to attack Django web applications.
An advisory warns that untrusted data used for kind/lookup_name values could be injected via the Trunc() and Extract() database functions.
Lookup names and kind choices that are constrained to a known safe list are not affected.
Essentially, your application isn’t vulnerable if it sanitizes or escapes the arguments before passing them to Trunc and Extract.
An eye security researcher Takuto Yoshikai was credited with responsibly reporting the vulnerability.
Python 3.9 or 3.8 must be installed on Ubuntu 22.04 LTS Jammy Jellyfish
Use the PPA repository to install Python’s old versions such as 3.9, 3.8, 3.7, and more on Ubuntu 22.04 The Python programming language is available for free on most operating systems…
This update prepares WhyNotWin11 for Windows 11 version 22H2
WhyNotWin11 is a third-party program that checks whether your Windows device is compatible with Windows 11. Updated processor lists…