SQL Injection Vulnerability in Django

Published on 05 Jul 2022

Updated on 03 Aug 2022

The Django project, an open source Python-based web framework, has issued a security release to address a high severity vulnerability. This vulnerability, assigned as CVE-2022-34265, exists in Django's main branch, versions 4.1(beta), 4.0 and 3.2 . Due to this vulnerability, a threat actor can attack Django web applications by injecting malicious code via arguments provided to the Trunc() and Extract() database functions.

Django has released versions Django 4.0.6 and Django 3.2.14 that address this vulnerability and urges developers to upgrade their Django web applications as soon as possible.

If you are unable to upgrade to fixed Django versions 4.06 or 3.2.14, the team has also made patches available that can be applied to existing affected versions. The patches for affected versions can be found in the links below:
•        Main Branch
•        Django 4.1
•        Django 4.0
•        Django 3.2

References:
https://www.djangoproject.com/weblog/2022/jul/04/security-releases/
https://nvd.nist.gov/vuln/detail/CVE-2022-34265