Django - SQL Injection (CVE-2022-34265)
- Severity
- CVSSv3 Score
- 9.8
- Vulnerability description
Django is affected by a SQL Injection vulnerability. The root cause of this vulnerability is the lack of input sanitization. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.
- Risk description
The risk exists that a remote unauthenticated attacker can fully compromise the databased used by the Django framework.
- Recommendation
Upgrade Django to the latest version. If an upgrade is not possible, constrain the lookup name and kind choice to a known safe list.
- References
https://nvd.nist.gov/vuln/detail/CVE-2022-34265
https://www.djangoproject.com/weblog/2022/jul/04/security-releases/
- Codename
- Not available
- Detectable with
- Network Scanner
- Exploitable with Sniper
- No
- Vuln date
- Jul 2022
- Published at
- Updated at
- Software Type
- Web framework
- Vendor
- Django Project
- Product
- Django