Django Software Foundation Patches High-Severity BugSQL Injection Vulnerability Affects Main Branch of the Open-Source Framework
The Django Software Foundation released a patch for a high-severity SQL injection vulnerability, although websites that limit back-end inputs to safelist matches are unaffected by the bug.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
The free and open-source Python-based web framework says its main branch and three other versions - 3.2, 4.0 and 4.1 - are affected by the vulnerability. More than 91,000 websites, including some well-known brands, use Django's Python-based framework, and a plurality are based in the United States.
Tracked as CVE-2022-34265, the vulnerability allows a threat actor to attack Django-based web applications through a command for deleting data known as Trunc and a command known as Extract that isolates elements such as month or day from a longer time stamp.
CVE-2022-34265 An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain t... https://t.co/ShSc9KFOLV— CVE (@CVEnew) July 4, 2022
Applications with safelist match constraints for kind choice in Trunc and lookup name in Extract aren't affected by the vulnerability.
Django's developers released Django 4.0.6 and Django 3.2.14 to patch the vulnerabilities For users unable to apply these patches, developers released separate patches for respective affected versions.
Django credited researcher Takuto Yoshikai from Aeye Security Lab with reporting the vulnerability.
Red Hat Investigating Impact
Red Hat, another open-source software vendor, rated Django's CVE-2022-34265 as a critical vulnerability based on its "preliminary" review and gave it a CVSS v3 base score of 9.8.
Red Hat assesses that the attack complexity is "low" and the privilege and user interaction required for its exploitation is "none."
Red Hat is currently investigating 11 of its open-source packages that incorporate Django - including Satellite, OpenStack Platform, Ceph Storage and Update Infrastructure. Red Hat's analysis is ongoing.