GHSA-rqw2-ghq9-44m7

Опубликовано: 02 дек. 2025

Источник: github

Github: Прошло ревью

CVSS3: 4.3

Описание

Django is vulnerable to SQL injection in column aliases

An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to QuerySet.annotate() or QuerySet.alias() on PostgreSQL. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Stackered for reporting this issue.

Ссылки

Пакеты

Наименование

Django

pip

Затронутые версииВерсия исправления

>= 5.2a1, < 5.2.9

5.2.9

Наименование

Django

pip

Затронутые версииВерсия исправления

>= 5.1a1, < 5.1.15

5.1.15

Наименование

Django

pip

Затронутые версииВерсия исправления

>= 4.2a1, < 4.2.27

4.2.27

EPSS

Процентиль: 1%

0.00008

Низкий

4.3 Medium

CVSS3

CVE ID

CVE-2025-13372

Дефекты

CWE-89

Связанные уязвимости

CVE-2025-13372

CVSS3: 4.3

ubuntu

17 дней назад

An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. `FilteredRelation` is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet.annotate()` or `QuerySet.alias()` on PostgreSQL. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Stackered for reporting this issue.

CVE-2025-13372

CVSS3: 4.3

nvd

17 дней назад

CVE-2025-13372

CVSS3: 4.3

debian

17 дней назад

An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4. ...

EPSS

Процентиль: 1%

0.00008

Низкий

4.3 Medium

CVSS3

CVE ID

CVE-2025-13372

Дефекты

CWE-89