Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2022-34265

Опубликовано: 04 июл. 2022
Источник: redhat
CVSS3: 9.8
EPSS Критический

Описание

An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.

A flaw was found in Django. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value.

Отчет

Applications that constrain the lookup name and kind choice to a known safe list are unaffected. Red Hat Satellite 6 versions include affected versions of python-django, however, the product is not vulnerable since it does not make use of vulnerable functions. Future updates may fix this issue.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Ansible Automation Platform 1.2ansible-towerAffected
Red Hat Ansible Automation Platform 2automation-controllerAffected
Red Hat Ansible Automation Platform 2python3-djangoAffected
Red Hat Ansible Automation Platform 2python-djangoAffected
Red Hat Ceph Storage 3python-djangoOut of support scope
Red Hat OpenStack Platform 13 (Queens)python-djangoNot affected
Red Hat OpenStack Platform 16.1python-django20Not affected
Red Hat OpenStack Platform 16.2python-django20Not affected
Red Hat Satellite 6python3-djangoNot affected
Red Hat Satellite 6python-pulp-containerNot affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-89
https://bugzilla.redhat.com/show_bug.cgi?id=2102896python-django: Potential SQL injection via Trunc(kind) and Extract(lookup_name) arguments

EPSS

Процентиль: 100%
0.92525
Критический

9.8 Critical

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2022-34265

CVSS3: 9.8
ubuntu
почти 3 года назад

An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.

nvd логотип

CVE-2022-34265

CVSS3: 9.8
nvd
почти 3 года назад

An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.

debian логотип

CVE-2022-34265

CVSS3: 9.8
debian
почти 3 года назад

An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0 ...

github логотип

GHSA-p64x-8rxx-wf6q

CVSS3: 9.8
github
почти 3 года назад

Django `Trunc()` and `Extract()` database functions vulnerable to SQL Injection

fstec логотип

BDU:2022-04199

CVSS3: 6.3
fstec
около 3 лет назад

Уязвимость функции Trunc/Extract фреймворка для веб-разработки Django, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации

EPSS

Процентиль: 100%
0.92525
Критический

9.8 Critical

CVSS3