July 4, 2022 

Django SQL Injection Vulnerability Exists in the Wild

The Django project, an open-source Python-based web framework, has patched a high severity SQL Injection vulnerability in its latest releases.

The vulnerability affects thousands of websites which use Django as their Model-Template-View framework. 

The Vulnerability

• CVE-2022-34265 (High severity) – a potential SQL Injection vulnerability allowing a threat actor to attack Django web applications via arguments provided to the Trunc(kind) and Extract(lookup_name) functions. 

Affected Products

• Django main branch 
• Django 4.1 (currently at beta status) 
• Django 4.0 
• Django 3.2 

Mitigation

CYREBRO recommends updating Django instances to the latest versions: 

• Django 4.0.6 
• Django 3.2.14 

Workaround

If you are unable to upgrade, Django team has made patches available that can be applied to existing affected versions. 

The patches are available from the following changesets: 

• On the main branch 
• On the 4.1 release branch 
• On the 4.0 release branch 
• On the 3.2 release branch 

References: Django Advisory