Django SQL Injection Vulnerability Exists in the Wild
July 4, 2022
Django SQL Injection Vulnerability Exists in the Wild
The Django project, an open-source Python-based web framework, has patched a high severity SQL Injection vulnerability in its latest releases.
The vulnerability affects thousands of websites which use Django as their Model-Template-View framework.
The Vulnerability
- CVE-2022-34265 (High severity) – a potential SQL Injection vulnerability allowing a threat actor to attack Django web applications via arguments provided to the Trunc(kind) and Extract(lookup_name) functions.
Affected Products
- Django main branch
- Django 4.1 (currently at beta status)
- Django 4.0
- Django 3.2
Mitigation
CYREBRO recommends updating Django instances to the latest versions:
Workaround
If you are unable to upgrade, Django team has made patches available that can be applied to existing affected versions.
The patches are available from the following changesets:
- On the main branch
- On the 4.1 release branch
- On the 4.0 release branch
- On the 3.2 release branch
References: Django Advisory
