Bug 1198399 (CVE-2022-28347)

Summary: VUL-0: CVE-2022-28347: python-Django1,python-Django: Potential SQL injection via QuerySet.explain(options) on PostgreSQL
Product: [Novell Products] SUSE Security Incidents Reporter: Hu <cathy.hu>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: carlos.lopez, fmccarthy, robert.simai, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/328541/
Whiteboard: CVSSv3.1:SUSE:CVE-2022-28347:7.3:(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Hu 2022-04-12 14:11:07 UTC 
rh#2072459

``QuerySet.explain()`` method was subject to SQL injection in option names,
using a suitably crafted dictionary, with dictionary expansion, as the
``**options`` argument.

This issue has High severity, according to the Django security policy [1].

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2072459
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-28347
http://www.openwall.com/lists/oss-security/2022/04/11/1
https://seclists.org/oss-sec/2022/q2/28
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28347
https://www.djangoproject.com/weblog/2022/apr/11/security-releases/
https://docs.djangoproject.com/en/4.0/releases/security/
https://groups.google.com/forum/#!forum/django-announce
Comment 1 Hu 2022-04-12 14:17:50 UTC 
Not affected:
- SUSE:SLE-12-SP3:Update:Products:Cloud8:Update/python-Django   1.11.29
- SUSE:SLE-12-SP4:Update:Products:Cloud9:Update/python-Django1  1.11.29

Affected:
- openSUSE:Factory/python-Django                                4.0.3
Comment 2 Fergal Mc Carthy 2022-07-12 17:21:16 UTC 
https://build.opensuse.org/request/show/977872 updated openSUSE:Factory/python-Django to version 4.0.4 which includes the fix for this issue, and it has been further updated to 4.0.6 as of writing this comment.

As such I think this bugzilla can be closed.
Comment 4 Carlos López 2022-09-16 12:50:34 UTC 
Done, closing.
Comment 5 Swamp Workflow Management 2023-01-03 14:23:28 UTC 
openSUSE-SU-2023:0005-1: An update that solves 13 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1185713,1186608,1186611,1193240,1194115,1194116,1194117,1195086,1195088,1198297,1198398,1198399,1201923,1203793
CVE References: CVE-2021-32052,CVE-2021-33203,CVE-2021-33571,CVE-2021-44420,CVE-2021-45115,CVE-2021-45116,CVE-2021-45452,CVE-2022-22818,CVE-2022-23833,CVE-2022-28346,CVE-2022-28347,CVE-2022-36359,CVE-2022-41323
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP3 (src):    python-Django-2.2.28-bp153.2.3.1