Django Software Foundation Patches High-Severity Bug

SQL Injection Vulnerability Affects Main Branch of the Open-Source Framework
Django Software Foundation Patches High-Severity Bug

The Django Software Foundation released a patch for a high-severity SQL injection vulnerability, although websites that limit back-end inputs to safelist matches are unaffected by the bug.

See Also: Cyber Hygiene and Asset Management Perception vs. Reality

The free and open-source Python-based web framework says its main branch and three other versions - 3.2, 4.0 and 4.1 - are affected by the vulnerability. More than 91,000 websites, including some well-known brands, use Django's Python-based framework, and a plurality are based in the United States.

The Vulnerability

Tracked as CVE-2022-34265, the vulnerability allows a threat actor to attack Django-based web applications through a command for deleting data known as Trunc and a command known as Extract that isolates elements such as month or day from a longer time stamp.

Applications with safelist match constraints for kind choice in Trunc and lookup name in Extract aren't affected by the vulnerability.

Django's developers released Django 4.0.6 and Django 3.2.14 to patch the vulnerabilities For users unable to apply these patches, developers released separate patches for respective affected versions.

Django credited researcher Takuto Yoshikai from Aeye Security Lab with reporting the vulnerability.

Red Hat Investigating Impact

Red Hat, another open-source software vendor, rated Django's CVE-2022-34265 as a critical vulnerability based on its "preliminary" review and gave it a CVSS v3 base score of 9.8.

Red Hat assesses that the attack complexity is "low" and the privilege and user interaction required for its exploitation is "none."

Red Hat is currently investigating 11 of its open-source packages that incorporate Django - including Satellite, OpenStack Platform, Ceph Storage and Update Infrastructure. Red Hat's analysis is ongoing.

About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.