CVE-2022-34265 is a new high severity vulnerability in the Django project, an open-source Python-based web framework. The vulnerability has been reported by Takuto Yoshikai from Aeye Security Lab.
CVE-2022-34265: Short Technical Overview
The vulnerability has been fixed in Django 4.0.6 and Django 3.2.14 which address the security issue. Django users should update as soon as possible to the latest releases.
The vulnerability has been described as a potential SQL injection that could be triggered via Trunc(kind) and Extract(lookup_name) arguments.
“Trunc() and Extract() database functions were subject to SQL injection if untrusted data was used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected,” the official advisory noted.
The security release mitigates the vulnerability, but the company says they have identified improvements to the Database API methods related to date extract and truncate that would be beneficial to add to Django 4.1 before its final release.
This action will impact third party database backends running Django 4.1 release candidate 1 or newer, until they are able to update to the API changes.