CVE-2022-28347

Aliases:GHSA-w24h-v9qh-8gxjBIT-django-2022-28347PYSEC-2022-191
Advisory lineage Upstream: 0 Downstream: 14
Modified
Published: 12 Apr 2022, 00:00
Last modified:13 Feb 2025, 16:32

Vulnerability Summary

Overall Risk (default)
high
70/100
CVSS Score
9.8 CRITICAL
v3.1 (nvd)
EPSS Score
0.75% LOW
1% probability -0.01%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

12 Apr 2022, 00:00
Published
Vulnerability first disclosed
13 Feb 2025, 16:32
Last Modified
Vulnerability information updated

Description

A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the **options argument, and placing the injection payload in an option name.

CVSS Metrics

  • v4.0CRITICALScore: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
  • v3.1CRITICALScore: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • v2.0HIGHScore: 7.5AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS Trends

Current EPSS score: 0.75% Percentile: 73%

Techniques & Countermeasures

  • CWE-89Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

    The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Affected Systems

  • debiandebian_linux

    11.0

  • djangoprojectdjango

    ≥ 2.2, < 2.2.28 | ≥ 3.2, < 3.2.13 | ≥ 4.0, < 4.0.4

  • PyPIdjango

    ≥ 3.2, < 3.2.13 | ≥ 4.0, < 4.0.4 | ≥ 2.2, < 2.2.28

References (20)