mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-09 18:12:39 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

Fixed CVE-2022-28346 -- Protected QuerySet.annotate(), aggregate(), and extra() against SQL injection in column aliases.

Browse source 
Thanks Splunk team: Preston Elder, Jacob Davis, Jacob Moore,
Matt Hanson, David Briggs, and a security researcher: Danylo Dmytriiev
(DDV_UA) for the report.
This commit is contained in:
Mariusz Felisiak 2022-04-01 08:10:22 +02:00
parent 62739b6e26
commit 93cae5cb2f
8 changed files with 108 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

8
docs/releases/2.2.28.txt
View file

@ -5,3 +5,11 @@ Django 2.2.28 release notes
*April 11, 2022*
Django 2.2.28 fixes two security issues with severity "high" in 2.2.27.
CVE-2022-28346: Potential SQL injection in ``QuerySet.annotate()``, ``aggregate()``, and ``extra()``
====================================================================================================
:meth:`.QuerySet.annotate`, :meth:`~.QuerySet.aggregate`, and
:meth:`~.QuerySet.extra` methods were subject to SQL injection in column
aliases, using a suitably crafted dictionary, with dictionary expansion, as the
``**kwargs`` passed to these methods.

8
docs/releases/3.2.13.txt
View file

@ -7,6 +7,14 @@ Django 3.2.13 release notes
Django 3.2.13 fixes two security issues with severity "high" in
3.2.12 and a regression in 3.2.4.
CVE-2022-28346: Potential SQL injection in ``QuerySet.annotate()``, ``aggregate()``, and ``extra()``
====================================================================================================
:meth:`.QuerySet.annotate`, :meth:`~.QuerySet.aggregate`, and
:meth:`~.QuerySet.extra` methods were subject to SQL injection in column
aliases, using a suitably crafted dictionary, with dictionary expansion, as the
``**kwargs`` passed to these methods.
Bugfixes
========

8
docs/releases/4.0.4.txt
View file

@ -7,6 +7,14 @@ Django 4.0.4 release notes
Django 4.0.4 fixes two security issues with severity "high" and two bugs in
4.0.3.
CVE-2022-28346: Potential SQL injection in ``QuerySet.annotate()``, ``aggregate()``, and ``extra()``
====================================================================================================
:meth:`.QuerySet.annotate`, :meth:`~.QuerySet.aggregate`, and
:meth:`~.QuerySet.extra` methods were subject to SQL injection in column
aliases, using a suitably crafted dictionary, with dictionary expansion, as the
``**kwargs`` passed to these methods.
Bugfixes
========