HomePentest-Tools.com Logo

Django - SQL Injection CVE-2022-34265

Severity
CVSSv3 Score
9.8
Vulnerability description

Django is affected by a SQL Injection vulnerability. The root cause of this vulnerability is the lack of input sanitization. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.

Risk description

The risk exists that a remote unauthenticated attacker can fully compromise the databased used by the Django framework.

Recommendation

Upgrade Django to the latest version. If an upgrade is not possible, constrain the lookup name and kind choice to a known safe list.

Codename
Not available
Detectable with
Network Scanner
Scan engine
Sniper
Exploitable with Sniper
No
CVE Published
Jul 4, 2022
Detection added at
Software Type
Web framework
Vendor
Django Project
Product
Django