Home

CVE-2022-28346

Description

An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs.

Risk Information

Base Score
9.8
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
Exploitation Probability
2.224

Associated Vulnerability

VulnerabilityOS Platform
Vulnerabilities CVE-2022-28346,CVE-2022-28347 are fixed in Python-django 2.2.28Windows
Vulnerabilities CVE-2022-28346,CVE-2022-28347 are fixed in Python-django 3.2.13Windows
Vulnerabilities CVE-2022-28346,CVE-2022-28347 are fixed in Python-django 4.0.4Windows
High-level Python web development framework (USN-5373-1) python3-django_2.2.24-1ubuntu1.5_all.debLinux
(RHSA-2022:5498) Satellite 6.11 Release foreman-cli-3.1.1.21-2.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release foreman-cli-3.1.1.21-2.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-amazing_print-1.1.0-2.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-apipie-bindings-0.4.0-2.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-clamp-1.1.2-7.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-clamp-1.1.2-7.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-domain_name-0.5.20160310-5.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-fast_gettext-1.4.1-5.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-foreman_maintain-1.0.12-1.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-foreman_maintain-1.0.12-1.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-hammer_cli-3.1.0.1-1.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-hammer_cli_foreman-3.1.0.1-1.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-hammer_cli_foreman_admin-1.1.0-1.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-hammer_cli_foreman_ansible-0.3.4-1.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-hammer_cli_foreman_azure_rm-0.2.2-1.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-hammer_cli_foreman_bootdisk-0.3.0-2.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-hammer_cli_foreman_discovery-1.1.0-1.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-hammer_cli_foreman_openscap-0.1.13-1.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-hammer_cli_foreman_remote_execution-0.2.2-1.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-hammer_cli_foreman_tasks-0.0.17-1.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-hammer_cli_foreman_templates-0.2.0-2.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-hammer_cli_foreman_virt_who_configure-0.0.9-1.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-hammer_cli_foreman_webhooks-0.0.2-1.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-hammer_cli_katello-1.3.1.6-1.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-hashie-3.6.0-3.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-highline-2.0.3-2.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-highline-2.0.3-2.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-http-cookie-1.0.2-5.1.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-jwt-2.2.2-2.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-little-plugger-1.1.4-3.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-locale-2.0.9-15.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-logging-2.3.0-2.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-mime-types-3.3.1-2.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-mime-types-data-3.2018.0812-5.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-multi_json-1.14.1-3.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-netrc-0.11.0-6.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-oauth-0.5.4-5.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-powerbar-2.0.1-3.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-rest-client-2.0.2-4.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-unf-0.1.3-9.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-unf_ext-0.0.7.2-4.1.el8sat.x86_64.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-unf_ext-debugsource-0.0.7.2-4.1.el8sat.x86_64.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-unicode-0.4.4.4-4.1.el8sat.x86_64.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-unicode-debugsource-0.4.4.4-4.1.el8sat.x86_64.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release rubygem-unicode-display_width-1.7.0-2.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release satellite-cli-6.11.0-2.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release satellite-cli-6.11.0-2.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release satellite-clone-3.1.0-2.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release satellite-clone-3.1.0-2.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release satellite-maintain-0.0.1-1.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release satellite-maintain-0.0.1-1.el8sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-amazing_print-1.1.0-2.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-apipie-bindings-0.4.0-2.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-clamp-1.1.2-7.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-domain_name-0.5.20160310-5.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-fast_gettext-1.4.1-5.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-hammer_cli-3.1.0.1-1.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-hammer_cli_foreman-3.1.0.1-1.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-hammer_cli_foreman_admin-1.1.0-1.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-hammer_cli_foreman_ansible-0.3.4-1.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-hammer_cli_foreman_azure_rm-0.2.2-1.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-hammer_cli_foreman_bootdisk-0.3.0-2.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-hammer_cli_foreman_discovery-1.1.0-1.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-hammer_cli_foreman_openscap-0.1.13-1.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-hammer_cli_foreman_remote_execution-0.2.2-1.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-hammer_cli_foreman_tasks-0.0.17-1.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-hammer_cli_foreman_templates-0.2.0-2.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-hammer_cli_foreman_virt_who_configure-0.0.9-1.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-hammer_cli_foreman_webhooks-0.0.2-1.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-hammer_cli_katello-1.3.1.6-1.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-hashie-3.6.0-3.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-highline-2.0.3-2.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-http-cookie-1.0.2-5.1.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-jwt-2.2.2-2.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-little-plugger-1.1.4-3.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-locale-2.0.9-15.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-logging-2.3.0-2.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-mime-types-3.3.1-2.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-mime-types-data-3.2018.0812-5.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-multi_json-1.14.1-3.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-netrc-0.11.0-6.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-oauth-0.5.4-5.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-powerbar-2.0.1-3.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-rest-client-2.0.2-4.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-unf-0.1.3-9.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-unf_ext-0.0.7.2-4.1.el7sat.x86_64.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-unicode-0.4.4.4-4.1.el7sat.x86_64.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-rubygem-unicode-display_width-1.7.0-2.el7sat.noarch.rpmLinux
(RHSA-2022:5498) Satellite 6.11 Release tfm-runtime-7.0-1.el7sat.x86_64.rpmLinux
High-level Python web development framework (USN-5373-1) python-django_1.11.11-1ubuntu1.17_all.debLinux
High-level Python web development framework (USN-5373-1) python3-django_1.11.11-1ubuntu1.17_all.debLinux
Vulnerabilities CVE-2022-28346,CVE-2022-28347 are fixed in Python-django for linux 2.2.28Linux
Vulnerabilities CVE-2022-28346,CVE-2022-28347 are fixed in Python-django for linux 3.2.13Linux
Vulnerabilities CVE-2022-28346,CVE-2022-28347 are fixed in Python-django for linux 4.0.4Linux

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234