SQL Injection Affecting django package, versions [,3.2.14) [4.0a1,4.0.6)
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-DJANGO-2940618
- published 4 Jul 2022
- disclosed 4 Jul 2022
- credit Takuto Yoshikai
Introduced: 4 Jul 2022
CVE-2022-34265 Open this link in a new tabHow to fix?
Upgrade Django
to version 3.2.14, 4.0.6 or higher.
Overview
Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.
Affected versions of this package are vulnerable to SQL Injection via the Trunc(kind)
and Extract(lookup_name)
arguments, if untrusted data is used as a kind/lookup_name
value.
Note: Applications that constrain the lookup name and kind choice to a known safe list are unaffected.
Django 4.1 pre-released versions (4.1a1, 4.1a2) are affected by this issue, please avoid using the 4.1 branch until 4.1.0 is released.