CVE-2022-28347

Description

A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the **options argument, and placing the injection payload in an option name.

How to fix CVE-2022-28347

To remediate CVE-2022-28347, upgrade the affected package to a fixed version below.

• —upgrade to 2.2.28 or later
• —upgrade to 2:2.2.28-1~deb11u1 or later
• —upgrade to 2.2.28 or later
• —upgrade to 4.0.4 or later

Is CVE-2022-28347 being exploited?

Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

• >= 2.2.0, < 2.2.28, >= 3.2.0, < 3.2.13, >= 4.0.0, < 4.0.4
• from 0, < 2:2.2.28-1~deb11u1
• >= 2.2, < 2.2.28
• >= 4.0, < 4.0.4, >= 3.2, < 3.2.13, >= 2.2, < 2.2.28

CVSS scores

References (21)

• ADVISORYgithub.com/advisories/GHSA-w24h-v9qh-8gxj
• ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-28347
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2022-28347
• ADVISORYwww.djangoproject.com/weblog/2022/apr/11/security-releases/
• PATCH