HomePentest-Tools.com Logo

Django - SQL Injection (CVE-2022-34265)

Severity
CVSSv3 Score
9.8
Vulnerability description

Django is affected by a SQL Injection vulnerability. The root cause of this vulnerability is the lack of input sanitization. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.

Risk description

The risk exists that a remote unauthenticated attacker can fully compromise the databased used by the Django framework.

Recommendation

Upgrade Django to the latest version. If an upgrade is not possible, constrain the lookup name and kind choice to a known safe list.

Codename
Not available
Detectable with
Network Scanner
Exploitable with Sniper
No
Vuln date
Jul 2022
Published at
Updated at
Software Type
Web framework
Vendor
Django Project
Product
Django