July 4, 2022
Django SQL Injection Vulnerability Exists in the Wild
The Django project, an open-source Python-based web framework, has patched a high severity SQL Injection vulnerability in its latest releases.
The vulnerability affects thousands of websites which use Django as their Model-Template-View framework.
- CVE-2022-34265 (High severity) – a potential SQL Injection vulnerability allowing a threat actor to attack Django web applications via arguments provided to the Trunc(kind) and Extract(lookup_name) functions.
- Django main branch
- Django 4.1 (currently at beta status)
- Django 4.0
- Django 3.2
CYREBRO recommends updating Django instances to the latest versions:
If you are unable to upgrade, Django team has made patches available that can be applied to existing affected versions.
The patches are available from the following changesets:
References: Django Advisory