Headline
CVE-2022-28346: security - Django: CVE-2022-28346: Potential SQL injection in ``QuerySet.annotate()``, ``aggregate()``, and ``extra()``
An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs.
- Products
- Openwall GNU/*/Linux server OS
- Linux Kernel Runtime Guard
- John the Ripper password cracker
- Free & Open Source for any platform
- in the cloud
- Pro for Linux
- Pro for macOS
- Wordlists for password cracking
- passwdqc policy enforcement
- Free & Open Source for Unix
- Pro for Windows (Active Directory)
- yescrypt KDF & password hashing
- yespower Proof-of-Work (PoW)
- crypt_blowfish password hashing
- phpass ditto in PHP
- tcb better password shadowing
- Pluggable Authentication Modules
- scanlogd port scan detector
- popa3d tiny POP3 daemon
- blists web interface to mailing lists
- msulogin single user mode login
- php_mt_seed mt_rand() cracker
- Services
- Publications
- Articles
- Presentations
- Resources
- Mailing lists
- Community wiki
- Source code repositories (GitHub)
- Source code repositories (CVSweb)
- File archive & mirrors
- How to verify digital signatures
- OVE IDs
- What’s new
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 11 Apr 2022 10:02:56 +0200 From: Mariusz Felisiak <felisiak.mariusz@…il.com> To: oss-security@…ts.openwall.com Subject: Django: CVE-2022-28346: Potential SQL injection in ``QuerySet.annotate()``, ``aggregate()``, and ``extra()``
https://www.djangoproject.com/weblog/2022/apr/11/security-releases/
In accordance with `our security release policy https://docs.djangoproject.com/en/dev/internals/security/\`_, the Django team is issuing `Django 4.0.4 https://docs.djangoproject.com/en/dev/releases/4.0.4/\`_, `Django 3.2.13 https://docs.djangoproject.com/en/dev/releases/3.2.13/\`_, and `Django 2.2.28 https://docs.djangoproject.com/en/dev/releases/2.2.28/\`_. These release addresses the security issues detailed below. We encourage all users of Django to upgrade as soon as possible.
CVE-2022-28346: Potential SQL injection in ``QuerySet.annotate()``, ``aggregate()``, and ``extra()`` ====================================================================================================
``QuerySet.annotate()``, ``aggregate()``, and ``extra()`` methods were subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the ``**kwargs`` passed to these methods.
Thanks Splunk team: Preston Elder, Jacob Davis, Jacob Moore, Matt Hanson, David Briggs, and a security researcher: Danylo Dmytriiev (DDV_UA) for the report.
This issue has severity “high” according to the Django security policy.
Affected supported versions
* Django main branch * Django 4.0 * Django 3.2 * Django 2.2
Resolution
Patches to resolve the issue have been applied to Django’s main branch and to the 4.0, 3.2, and 2.2 release branches. The patches may be obtained from the following changesets.
* On the `main branch https://github.com/django/django/commit/93cae5cb2f9a4ef1514cf1a41f714fef08005200\`__ * On the `4.0 release branch https://github.com/django/django/commit/800828887a0509ad1162d6d407e94d8de7eafc60\`__ * On the `3.2 release branch https://github.com/django/django/commit/2044dac5c6968441be6f534c4139bcf48c5c7e48\`__ * On the `2.2 release branch https://github.com/django/django/commit/2c09e68ec911919360d5f8502cefc312f9e03c5d\`__
The following releases have been issued:
* Django 4.0.4 (`download Django 4.0.4 https://www.djangoproject.com/m/releases/4.0/Django-4.0.4.tar.gz\`_ | `4.0.4 checksums https://www.djangoproject.com/m/pgp/Django-4.0.4.checksum.txt\`_) * Django 3.2.13 (`download Django 3.2.13 https://www.djangoproject.com/m/releases/3.2/Django-3.2.13.tar.gz\`_ | `3.2.13 checksums https://www.djangoproject.com/m/pgp/Django-3.2.13.checksum.txt\`_) * Django 2.2.28 (`download Django 2.2.28 https://www.djangoproject.com/m/releases/2.2/Django-2.2.28.tar.gz\`_ | `2.2.28 checksums https://www.djangoproject.com/m/pgp/Django-2.2.28.checksum.txt\`_)
The PGP key ID used for this release is Mariusz Felisiak: `2EF56372BA48CD1B https://github.com/felixxm.gpg\`_.
General notes regarding security reporting
As always, we ask that potential security issues be reported via private email to ``security@…ngoproject.com``, and not via Django’s Trac instance or the django-developers list. Please see `our security policies https://www.djangoproject.com/security/\`_ for further information.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.
Related news
Red Hat Security Advisory 2022-8872-01 - An update for python-django20 is now available for Red Hat OpenStack Platform 16.1.9 (Train) for Red Hat Enterprise Linux (RHEL) 8.2. Issues addressed include cross site scripting, denial of service, remote shell upload, and remote SQL injection vulnerabilities.
An update for python-django20 is now available for Red Hat OpenStack Platform 16.1.9 (Train) for Red Hat Enterprise Linux (RHEL) 8.2. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-22818: django: Possible XSS via '{% debug %}' template tag * CVE-2022-23833: django: Denial-of-service possibility in file uploads * CVE-2022-28346: Django: SQL injection in QuerySet.annotate(),aggregate() and extra()
Red Hat Security Advisory 2022-5703-01 - An update is now available for Red Hat Ansible Automation Platform 1.2. Issues addressed include a remote SQL injection vulnerability.
An update is now available for Red Hat Ansible Automation Platform 1.2 Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-28346: Django: SQL injection in QuerySet.annotate(),aggregate() and extra() * CVE-2022-28347: Django: SQL injection via QuerySet.explain(options) on PostgreSQL
An update is now available for Red Hat Ansible Automation Platform 2.1 Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-28346: Django: SQL injection in QuerySet.annotate(),aggregate() and extra() * CVE-2022-28347: Django: SQL injection via QuerySet.explain(options) on PostgreSQL
Red Hat Security Advisory 2022-5498-01 - Red Hat Satellite is a systems management tool for Linux-based infrastructure. It allows for provisioning, remote management, and monitoring of multiple Linux deployments with a single centralized tool. Issues addressed include HTTP request smuggling, buffer overflow, bypass, code execution, cross site scripting, denial of service, heap overflow, information leakage, privilege escalation, remote shell upload, remote SQL injection, and traversal vulnerabilities.
An update is now available for Red Hat Satellite 6.11This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-3200: libsolv: heap-based buffer overflow in testcase_read() in src/testcase.c * CVE-2021-3584: foreman: Authenticate remote code execution through Sendmail configuration * CVE-2021-4142: Satellite: Allow unintended SCA certificate to authenticate Candlepin * CVE-2021-21290: netty: Information disclosure via the local system temporary directory * CVE-2021-21295: netty: possible request smuggling in HTTP/2 due missing validation * CVE-2021-21409: netty: Request smuggling via content-length header * CVE-2021-30151: sidekiq: XSS via the queue name of the live-poll feature * CVE-2021-32839: python-sqlparse: ReDoS via regular expression i...
Red Hat Security Advisory 2022-5115-01 - An update for python-django20 is now available for Red Hat OpenStack Platform 16.2.3 (Train). Issues addressed include a remote SQL injection vulnerability.
An update for python-django20 is now available for Red Hat OpenStack Platform 16.2.3 (Train). Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-28346: Django: SQL injection in QuerySet.annotate(),aggregate() and extra()