Описание
An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed QuerySet.annotate() or QuerySet.alias().
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| OpenShift Service Mesh 3 | openshift-service-mesh/istio-cni-rhel9 | Not affected | ||
| OpenShift Service Mesh 3 | openshift-service-mesh/istio-must-gather-rhel9 | Not affected | ||
| OpenShift Service Mesh 3 | openshift-service-mesh/istio-pilot-rhel9 | Not affected | ||
| OpenShift Service Mesh 3 | openshift-service-mesh/istio-proxyv2-rhel9 | Not affected | ||
| OpenShift Service Mesh 3 | openshift-service-mesh/istio-rhel9-operator | Not affected | ||
| OpenShift Service Mesh 3 | openshift-service-mesh/istio-sail-operator-bundle | Not affected | ||
| OpenShift Service Mesh 3 | openshift-service-mesh-tech-preview/istio-ztunnel-rhel9 | Not affected | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-24/ee-dellemc-openmanage-rhel8 | Not affected | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-24/ee-minimal-rhel8 | Not affected | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-24/ee-minimal-rhel9 | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.1 High
CVSS3
Связанные уязвимости
An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed QuerySet.annotate() or QuerySet.alias().
An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed QuerySet.annotate() or QuerySet.alias().
An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12 ...
Django is subject to SQL injection through its column aliases
EPSS
7.1 High
CVSS3