Bug 1198398 (CVE-2022-28346)

Summary: VUL-0: CVE-2022-28346: python-Django,python-Django1: Potential SQL injection in QuerySet.annotate(),aggregate() and extra()
Product: [Novell Products] SUSE Security Incidents Reporter: Hu <cathy.hu>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: calmeidadeoliveira, fmccarthy, jmoffitt, smash_bz, stoyan.manolov
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/328542/
Whiteboard: CVSSv3.1:SUSE:CVE-2022-28346:7.3:(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Hu 2022-04-12 13:57:34 UTC 
rh#2072447

``QuerySet.annotate()`, ``aggregate()``, and ``extra()`` methods were
subject
to SQL injection in column aliases, using a suitably crafted dictionary,
with
dictionary expansion, as the ``**kwargs`` passed to these methods.

This issue has High severity, according to the Django security policy [1].

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2072447
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-28346
https://seclists.org/oss-sec/2022/q2/27
Comment 1 Hu 2022-04-12 13:58:13 UTC 
Affected:
- SUSE:SLE-12-SP3:Update:Products:Cloud8:Update/python-Django   1.11.29
- SUSE:SLE-12-SP4:Update:Products:Cloud9:Update/python-Django1  1.11.29
- openSUSE:Factory/python-Django                                4.0.3
Comment 2 Jeremy Moffitt 2022-04-12 15:04:21 UTC 
The 1.11 version in SOC is long since unsupported upstream, not sure how similar it is to the 2.x version, but https://github.com/django/django/commit/2c09e68ec911919360d5f8502cefc312f9e03c5d  is the commit where this was fixed for 2.x if that helps.

For factory, moving to 4.0.4 seems like the most reasonable solution: https://www.djangoproject.com/weblog/2022/apr/11/security-releases/
Comment 9 Swamp Workflow Management 2022-09-22 19:19:41 UTC 
SUSE-SU-2022:3339-1: An update that fixes 6 vulnerabilities, contains two features is now available.

Category: security (moderate)
Bug References: 1157665,1164139,1191454,1197818,1198398,1201186
CVE References: CVE-2019-11287,CVE-2020-1734,CVE-2021-39226,CVE-2022-24790,CVE-2022-28346,CVE-2022-34265
JIRA References: SOC-11662,SOC-8764
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    grafana-6.7.4-3.29.1, openstack-heat-templates-0.0.0+git.1654529662.75fa04a7-3.15.1, openstack-horizon-plugin-gbp-ui-14.0.1~dev4-3.12.1, openstack-neutron-gbp-14.0.1~dev46-3.34.1, openstack-nova-18.3.1~dev92-3.43.1, python-Django1-1.11.29-3.40.1, rabbitmq-server-3.6.16-4.3.1, rubygem-puma-2.16.0-4.18.1
SUSE OpenStack Cloud 9 (src):    ardana-ansible-9.0+git.1660748476.c118d23-3.32.1, ardana-cobbler-9.0+git.1660747489.119efcd-3.19.1, ardana-tempest-9.0+git.1651855288.a2341ad-3.22.1, grafana-6.7.4-3.29.1, openstack-heat-templates-0.0.0+git.1654529662.75fa04a7-3.15.1, openstack-horizon-plugin-gbp-ui-14.0.1~dev4-3.12.1, openstack-neutron-gbp-14.0.1~dev46-3.34.1, openstack-nova-18.3.1~dev92-3.43.1, python-Django1-1.11.29-3.40.1, rabbitmq-server-3.6.16-4.3.1, venv-openstack-heat-11.0.4~dev4-3.37.1, venv-openstack-horizon-14.1.1~dev11-4.41.1, venv-openstack-neutron-13.0.8~dev206-6.41.1, venv-openstack-nova-18.3.1~dev92-3.41.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2022-09-22 19:21:25 UTC 
SUSE-SU-2022:3338-1: An update that fixes 7 vulnerabilities, contains one feature is now available.

Category: security (moderate)
Bug References: 1157665,1191454,1193597,1197818,1198398,1201186
CVE References: CVE-2019-11287,CVE-2020-1734,CVE-2021-39226,CVE-2021-44716,CVE-2022-24790,CVE-2022-28346,CVE-2022-34265
JIRA References: SOC-11662
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    grafana-6.7.4-4.23.1, openstack-heat-templates-0.0.0+git.1654529662.75fa04a-3.27.1, openstack-murano-4.0.2~dev3-3.12.1, openstack-murano-doc-4.0.2~dev3-3.12.1, python-Django-1.11.29-3.42.1, rabbitmq-server-3.6.16-3.13.1, rubygem-puma-2.16.0-3.18.1
SUSE OpenStack Cloud 8 (src):    ardana-ansible-8.0+git.1660773729.3789a6d-3.85.1, ardana-cobbler-8.0+git.1660773402.d845a45-3.47.1, grafana-6.7.4-4.23.1, openstack-heat-templates-0.0.0+git.1654529662.75fa04a-3.27.1, openstack-murano-4.0.2~dev3-3.12.1, openstack-murano-doc-4.0.2~dev3-3.12.1, python-Django-1.11.29-3.42.1, rabbitmq-server-3.6.16-3.13.1, venv-openstack-heat-9.0.8~dev22-12.45.1, venv-openstack-horizon-12.0.5~dev6-14.48.1, venv-openstack-murano-4.0.2~dev3-12.38.1
HPE Helion Openstack 8 (src):    ardana-ansible-8.0+git.1660773729.3789a6d-3.85.1, ardana-cobbler-8.0+git.1660773402.d845a45-3.47.1, grafana-6.7.4-4.23.1, openstack-heat-templates-0.0.0+git.1654529662.75fa04a-3.27.1, openstack-murano-4.0.2~dev3-3.12.1, openstack-murano-doc-4.0.2~dev3-3.12.1, python-Django-1.11.29-3.42.1, rabbitmq-server-3.6.16-3.13.1, venv-openstack-heat-9.0.8~dev22-12.45.1, venv-openstack-horizon-hpe-12.0.5~dev6-14.48.1, venv-openstack-murano-4.0.2~dev3-12.38.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Christian Almeida de Oliveira 2022-09-27 13:05:30 UTC 
SOC 8 and SOC 9 fixes released.
Back to Security team.
Comment 13 Swamp Workflow Management 2023-01-03 14:23:23 UTC 
openSUSE-SU-2023:0005-1: An update that solves 13 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1185713,1186608,1186611,1193240,1194115,1194116,1194117,1195086,1195088,1198297,1198398,1198399,1201923,1203793
CVE References: CVE-2021-32052,CVE-2021-33203,CVE-2021-33571,CVE-2021-44420,CVE-2021-45115,CVE-2021-45116,CVE-2021-45452,CVE-2022-22818,CVE-2022-23833,CVE-2022-28346,CVE-2022-28347,CVE-2022-36359,CVE-2022-41323
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP3 (src):    python-Django-2.2.28-bp153.2.3.1