Beware of Django SQL Injection Vulnerability

Django is a free and open source Python web framework and maintained by the independent Django Software Foundation.

An issue was discovered (CVE-2022-34265) in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. Trunc() and Extract() database functions were subject to SQL injection if untrusted data was used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.

On 4th of July, The Django Project announced that the vulnerability was fixed in the latest versions 4.0.6 and 3.2.14. The developers mentioned that they will also release patch for older versions.

Affected Products:
Django main branch
Django 4.1 (currently at beta status)
Django 4.0
Django 3.2

Leave a Reply