Beware of Django SQL Injection Vulnerability

Django is a free and open source Python web framework and maintained by the independent Django Software Foundation.

An issue was discovered (CVE-2022-34265) in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. Trunc() and Extract() database functions were subject to SQL injection if untrusted data was used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.

On 4th of July, The Django Project announced that the vulnerability was fixed in the latest versions 4.0.6 and 3.2.14. The developers mentioned that they will also release patch for older versions.

Affected Products:
Django main branch
Django 4.1 (currently at beta status)
Django 4.0
Django 3.2

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s