Bug 1198399 - (CVE-2022-28347) VUL-0: CVE-2022-28347: python-Django1,python-Django: Potential SQL injection via QuerySet.explain(options) on PostgreSQL
(CVE-2022-28347)
VUL-0: CVE-2022-28347: python-Django1,python-Django: Potential SQL injection ...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/328541/
CVSSv3.1:SUSE:CVE-2022-28347:7.3:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-04-12 14:11 UTC by Hu
Modified: 2022-09-16 12:50 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hu 2022-04-12 14:11:07 UTC
rh#2072459

``QuerySet.explain()`` method was subject to SQL injection in option names,
using a suitably crafted dictionary, with dictionary expansion, as the
``**options`` argument.

This issue has High severity, according to the Django security policy [1].

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2072459
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-28347
http://www.openwall.com/lists/oss-security/2022/04/11/1
https://seclists.org/oss-sec/2022/q2/28
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28347
https://www.djangoproject.com/weblog/2022/apr/11/security-releases/
https://docs.djangoproject.com/en/4.0/releases/security/
https://groups.google.com/forum/#!forum/django-announce
Comment 1 Hu 2022-04-12 14:17:50 UTC
Not affected:
- SUSE:SLE-12-SP3:Update:Products:Cloud8:Update/python-Django   1.11.29
- SUSE:SLE-12-SP4:Update:Products:Cloud9:Update/python-Django1  1.11.29

Affected:
- openSUSE:Factory/python-Django                                4.0.3
Comment 2 Fergal Mc Carthy 2022-07-12 17:21:16 UTC
https://build.opensuse.org/request/show/977872 updated openSUSE:Factory/python-Django to version 4.0.4 which includes the fix for this issue, and it has been further updated to 4.0.6 as of writing this comment.

As such I think this bugzilla can be closed.
Comment 4 Carlos López 2022-09-16 12:50:34 UTC
Done, closing.