CVE-2022-28347
Published: 11 April 2022
A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the **options argument, and placing the injection payload in an option name.
Priority
CVSS 3 base score: 9.8
Status
Package | Release | Status |
---|---|---|
python-django Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(code not present)
|
focal |
Released
(2:2.2.12-1ubuntu0.11)
|
|
impish |
Released
(2:2.2.24-1ubuntu1.4)
|
|
jammy |
Released
(3.2.12-2ubuntu1)
|
|
trusty |
Not vulnerable
(code not present)
|
|
upstream |
Released
(3.2.13,2.2.28)
|
|
xenial |
Not vulnerable
(code not present)
|