CVE-2022-34265 is a new high severity vulnerability in the Django project, an open-source Python-based web framework. The vulnerability has been reported by Takuto Yoshikai from Aeye Security Lab.
CVE-2022-34265: Short Technical Overview
The vulnerability has been fixed in Django 4.0.6 and Django 3.2.14 which address the security issue. Django users should update as soon as possible to the latest releases.
The vulnerability has been described as a potential SQL injection that could be triggered via Trunc(kind) and Extract(lookup_name) arguments.
“Trunc() and Extract() database functions were subject to SQL injection if untrusted data was used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected,” the official advisory noted.
The security release mitigates the vulnerability, but the company says they have identified improvements to the Database API methods related to date extract and truncate that would be beneficial to add to Django 4.1 before its final release.
This action will impact third party database backends running Django 4.1 release candidate 1 or newer, until they are able to update to the API changes.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me:
「吉海拓人」ではなく、「吉開拓人」さんですね。よかったら直してください。
The kanji of Yoshikai-san’s family name is 吉開, not 吉海. Please fix it for him.