Django SQL Injection Vulnerability Exists in the Wild 

July 4, 2022 

Django SQL Injection Vulnerability Exists in the Wild

The Django project, an open-source Python-based web framework, has patched a high severity SQL Injection vulnerability in its latest releases.

The vulnerability affects thousands of websites which use Django as their Model-Template-View framework. 

The Vulnerability

  • CVE-2022-34265 (High severity) – a potential SQL Injection vulnerability allowing a threat actor to attack Django web applications via arguments provided to the Trunc(kind) and Extract(lookup_name) functions. 

Affected Products

  • Django main branch 
  • Django 4.1 (currently at beta status) 
  • Django 4.0 
  • Django 3.2 

Mitigation

CYREBRO recommends updating Django instances to the latest versions: 

Workaround

If you are unable to upgrade, Django team has made patches available that can be applied to existing affected versions. 

The patches are available from the following changesets: 

References: Django Advisory 

Sign Up for Updates