A security advisory was released by Django project on a high severity SQL (structured query language ) Injection vulnerability. The vulnerability is tracked as CVE-2022-34265 and affect Django’s main branch and versions 4.1, 4.0, and 3.2.

“The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.” said in the advisory.

Takuto Yoshikai from Aeye Security Lab has reported this vulnerability privately to Django. Threat actor can attack Django web applications via arguments provided to the Trunc (kind) and Extract (lookup_name) functions. Using untrusted data as ‘kind’ or ‘lookup_name’ values on Trunc() and Extract() database functions would be subject to SQL injection. However, the application is not vulnerable if it performs input sanitization or escaping before passing the arguments to the Trunc() and Extract() functions.

Django is a high-level Python web framework that encourages rapid development and clean, pragmatic design. It takes care of much of the hassle of web development, so you can focus on writing your app without needing to reinvent the wheel. It’s free and open source.

“This security release mitigates the issue, but we have identified improvements to the Database API methods related to date extract and truncate that would be beneficial to add to Django 4.1 before it’s final release,” states Django team.

Remediate

Django team urges organizations to upgrade to Django versions 4.0.6 or 3.2.14 to mitigate the potential risks. If unable to update, the team has made patches available that can be applied to existing affected versions.

Source

• https://www.djangoproject.com/weblog/2022/jul/04/security-releases/
• https://www.bleepingcomputer.com/news/security/django-fixes-sql-injection-vulnerability-in-new-releases/