Bugzilla – Bug 1198399
VUL-0: CVE-2022-28347: python-Django1,python-Django: Potential SQL injection via QuerySet.explain(options) on PostgreSQL
Last modified: 2023-01-03 14:23:28 UTC
``QuerySet.explain()`` method was subject to SQL injection in option names,
using a suitably crafted dictionary, with dictionary expansion, as the
This issue has High severity, according to the Django security policy .
- SUSE:SLE-12-SP3:Update:Products:Cloud8:Update/python-Django 1.11.29
- SUSE:SLE-12-SP4:Update:Products:Cloud9:Update/python-Django1 1.11.29
- openSUSE:Factory/python-Django 4.0.3
https://build.opensuse.org/request/show/977872 updated openSUSE:Factory/python-Django to version 4.0.4 which includes the fix for this issue, and it has been further updated to 4.0.6 as of writing this comment.
As such I think this bugzilla can be closed.
openSUSE-SU-2023:0005-1: An update that solves 13 vulnerabilities and has one errata is now available.
Category: security (important)
Bug References: 1185713,1186608,1186611,1193240,1194115,1194116,1194117,1195086,1195088,1198297,1198398,1198399,1201923,1203793
CVE References: CVE-2021-32052,CVE-2021-33203,CVE-2021-33571,CVE-2021-44420,CVE-2021-45115,CVE-2021-45116,CVE-2021-45452,CVE-2022-22818,CVE-2022-23833,CVE-2022-28346,CVE-2022-28347,CVE-2022-36359,CVE-2022-41323
openSUSE Backports SLE-15-SP3 (src): python-Django-2.2.28-bp22.214.171.124