Django fixes SQL Injection vulnerability in new releases

The Django project, an open source Python-based web framework has patched a high severity vulnerability in its latest releases.

Tracked as CVE-2022-34265, the potential SQL Injection vulnerability exists in Django's main branch, and versions 4.1 (currently in beta), 4.0, and 3.2. New releases and patches issued today squash the vulnerability.

Tens of thousands of websites, including some popular brands in the U.S. alone choose Django as their Model-Template-View framework, according to some estimates. This is why the need to upgrade or patch your Django instances against bugs like these is crucial.

New releases mitigate potential SQL Injection 

Today, the Django team has released versions Django 4.0.6 and Django 3.2.14 that address a high-severity SQL injection vulnerability and is urging developers to upgrade or patch their Django instances as soon as possible.

Assigned CVE-2022-34265, the vulnerability can allow a threat actor to attack Django web applications via arguments provided to the Trunc(kind) and Extract(lookup_name) functions.

"Trunc() and Extract() database functions were subject to SQL injection if untrusted data was used as a kind/lookup_name value," states the advisory.

"Applications that constrain the lookup name and kind choice to a known safe list are unaffected."

In other words, your application is not vulnerable if it is performing some kind of input sanitization or escaping before passing these arguments to the Trunc and Extract functions. 

Researcher Takuto Yoshikai of Aeye Security Lab has been credited with responsibly reporting the vulnerability.

Patches also available

For those unable to upgrade to fixed Django versions 4.0.6 or 3.2.14, the team has made patches available that can be applied to existing affected versions.

"This security release mitigates the issue, but we have identified improvements to the Database API methods related to date extract and truncate that would be beneficial to add to Django 4.1 before [its] final release," further states Django team.

"This will impact 3rd party database backends using Django 4.1 release candidate 1 or newer, until they are able to update to the API changes. We apologize for the inconvenience."

Django's security policy states that any potential security issues be reported privately via email to security@djangoproject.com, as opposed to using Django's Trac instance or public mailing lists.