Your submission was sent successfully! Close

You have successfully unsubscribed! Close

CVE-2022-28347

Published: 11 April 2022

A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the **options argument, and placing the injection payload in an option name.

Priority

High

CVSS 3 base score: 9.8

Status

Package Release Status
python-django
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(code not present)
focal
Released (2:2.2.12-1ubuntu0.11)
impish
Released (2:2.2.24-1ubuntu1.4)
jammy
Released (3.2.12-2ubuntu1)
trusty Not vulnerable
(code not present)
upstream
Released (3.2.13,2.2.28)
xenial Not vulnerable
(code not present)