Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

python-django: CVE-2022-28346

Related Vulnerabilities: CVE-2022-28346   CVE-2022-28347  

Source

Debian Bug report logs - #1009677
python-django: CVE-2022-28346

version graph

Package: python-django; Maintainer for python-django is Debian Python Team <team+python@tracker.debian.org>; Source for python-django is src:python-django (PTS, buildd, popcon).

Reported by: "Chris Lamb" <lamby@debian.org>

Date: Thu, 14 Apr 2022 08:48:02 UTC

Severity: grave

Tags: security

Found in version 1:1.10.7-2+deb9u15

Fixed in versions 2:4.0.4-1, 2:3.2.13-1

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Python Team <team+python@tracker.debian.org>:
Bug#1009677; Package python-django. (Thu, 14 Apr 2022 08:48:04 GMT) (full text, mbox, link).

Acknowledgement sent to "Chris Lamb" <lamby@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Python Team <team+python@tracker.debian.org>. (Thu, 14 Apr 2022 08:48:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: "Chris Lamb" <lamby@debian.org>
To: submit@bugs.debian.org
Subject: python-django: CVE-2022-28346
Date: Thu, 14 Apr 2022 09:37:22 +0100
Package: python-django
Version: 1:1.10.7-2+deb9u15
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for python-django.

CVE-2022-28346[0]:
| An issue was discovered in Django 2.2 before 2.2.28, 3.2 before
| 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and
| extra() methods are subject to SQL injection in column aliases via a
| crafted dictionary (with dictionary expansion) as the passed **kwargs.

There was another CVE as part of this release:
https://www.djangoproject.com/weblog/2022/apr/11/security-releases/

However, the CVE in question (CVE-2022-28347), does not apply in
buster, stretch or jessie; the .explain(...) functionality was added
later versions.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-28346
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28346


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

Marked as fixed in versions 2:3.2.13-1. Request was from "Chris Lamb" <lamby@debian.org> to control@bugs.debian.org. (Thu, 14 Apr 2022 09:03:06 GMT) (full text, mbox, link).

Marked as fixed in versions 2:4.0.4-1. Request was from "Chris Lamb" <lamby@debian.org> to control@bugs.debian.org. (Thu, 14 Apr 2022 09:03:07 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 14 13:10:35 2022; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started