Django - SQL Injection CVE-2022-34265
- Severity
- CVSSv3 Score
- 9.8
- Vulnerability description
Django is affected by a SQL Injection vulnerability.
The root cause of this vulnerability is the lack of input sanitization. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.- Risk description
The risk exists that a remote unauthenticated attacker can fully compromise the databased used by the Django framework.
- Recommendation
Upgrade Django to the latest version. If an upgrade is not possible, constrain the lookup name and kind choice to a known safe list.
- References
- https://nvd.nist.gov/vuln/detail/CVE-2022-34265https://www.djangoproject.com/weblog/2022/jul/04/security-releases/
- Codename
- Not available
- Detectable with
- Network Scanner
- Scan engine
- Sniper
- Exploitable with Sniper
- No
- CVE Published
- Jul 4, 2022
- Detection added at
- Software Type
- Web framework
- Vendor
- Django Project
- Product
- Django