CVE-2022-34265

CRITICAL NUCLEI LAB

Django < 3.2.14 - SQL Injection

Title source: rule

Description

An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.

Exploits (6)

nomisec WORKING POC 124 stars
by aeyesec · poc
https://github.com/aeyesec/CVE-2022-34265
nomisec WORKING POC 4 stars
by ZhaoQi99 · poc
https://github.com/ZhaoQi99/CVE-2022-34265
nomisec WORKING POC 3 stars
by traumatising · poc
https://github.com/traumatising/CVE-2022-34265
nomisec WORKING POC 1 stars
by lnwza0x0a · poc
https://github.com/lnwza0x0a/CTF_Django_CVE-2022-34265
gitlab WORKING POC
by ZhaoQi99 · poc
https://gitlab.com/ZhaoQi99/CVE-2022-34265
inthewild WORKING POC
poc
https://github.com/not-xences/cve-2022-34265

Nuclei Templates (1)

Django - SQL injection
CRITICALby princechaddha

References (7)

Scores

CVSS v3 9.8
EPSS 0.9283
EPSS Percentile 99.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Lab Environment

COMMUNITY
Community Lab
docker pull postgres:latest
docker pull mysql:5.7
+2 more repos

Details

CWE
CWE-89
Status published
Products (2)
djangoproject/django 3.2 - 3.2.14
pypi/Django 3.2a1 - 3.2.14PyPI
Published Jul 04, 2022
Tracked Since Feb 18, 2026