Critical SQL injection vulnerability in Django

The Django project, an open source web framework based on Python, has fixed a high severity vulnerability in its latest versions. Identified as CVE-2022-34265, the potential SQL injection vulnerability exists in the Django main version and in versions 4.1 (currently in beta), 4.0, and 3.2. New releases and patches issued this Monday, July 4, remove the vulnerability.

Tens of thousands of companies choose Django as the base framework for their websites. This makes it even more urgent to update or patch Django instances against vulnerabilities like these.

The Django team has released Django 4.0.6 and Django 3.2.14 versions that address a high severity SQL injection vulnerability and urge developers to update or patch their Django instances as soon as possible.

The vulnerability may allow a threat actor to attack Django web applications via arguments provided to the Trunc() and Extract().

“The Trunc() and Extract() database functions were subject to SQL injection if untrusted data was used as a value of type /lookup_name.”

“Apps that restrict the lookup name and type choice to a known safe list are not affected.”

In other words, your application is not vulnerable if you are doing some kind of input sanitization or escaping before passing these arguments to the Trunc and Extract functions.

Researcher Takuto Yoshikai of Aeye Security Lab is credited with reporting the vulnerability.

For those unable to upgrade to the fixed versions of Django 4.0.6 or 3.2.14, the team has made available patches that can be applied to existing affected versions.

Patches to resolve the issue have been applied to the Django main branch and to the 4.1, 4.0, and 3.2 branches. Patches can be obtained from the following project changesets:

Main

Branch Version 4.1

Branch Version 4.0

Branch Version 3.2 Branch

“This security release mitigates the issue, but we have identified improvements to the base API methods of data related to date truncation and extraction that would be beneficial to add to Django 4.1 before its final release,” the Django team further states.

“This will affect third-party database backends using Django 4.1 Release Candidate 1 or later, until they can update the API changes. We apologize for the inconvenience.”Django’s security policy states that any potential security issues are reported privately via email to security@djangoproject.com, rather than using Django’s Trac instance or public mailing lists.