CVE-2022-28347
CRITICALDjango 2.2-2.2.27, 3.2-3.2.12, 4.0-4.0.3 - SQL Injection via QuerySet.explain() Options
Title source: llmDescription
A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the **options argument, and placing the injection payload in an option name.
References (7)
Core 7
Core References
Third Party Advisory vendor-advisory
https://www.debian.org/security/2022/dsa-5254
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/
Mailing List, Patch, Third Party Advisory
http://www.openwall.com/lists/oss-security/2022/04/11/1
Patch, Vendor Advisory
https://docs.djangoproject.com/en/4.0/releases/security/
Patch, Vendor Advisory
https://www.djangoproject.com/weblog/2022/apr/11/security-releases/
Scores
CVSS v3
9.8
EPSS
0.0067
EPSS Percentile
71.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-89
Status
published
Products (3)
debian/debian_linux
11.0
djangoproject/django
2.2 - 2.2.28
pypi/Django
2.2 - 2.2.28PyPI
Published
Apr 12, 2022
Tracked Since
Feb 18, 2026