Security Vulnerability Detected
Dependency: Django
Criticality: CRITICAL (Score: undefined)
Vulnerability Details
Name: CVE-2022-28346
Description:
An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs.
Metadata
"{\"vulnerabilityIdentifiers\":[\"CVE-2022-28346\"],\"published\":\"2022-04-12T05:15:06.927\",\"lastModified\":\"2024-11-21T06:57:11.007\",\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"exploitabilityScore\":3.9,\"impactScore\":5.9,\"weaknesses\":[\"CWE-89\"]}"
Security Vulnerability Detected
Dependency:
DjangoCriticality: CRITICAL (Score: undefined)
Vulnerability Details
Name: CVE-2022-28346
Description:
An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs.
Metadata
"{\"vulnerabilityIdentifiers\":[\"CVE-2022-28346\"],\"published\":\"2022-04-12T05:15:06.927\",\"lastModified\":\"2024-11-21T06:57:11.007\",\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"exploitabilityScore\":3.9,\"impactScore\":5.9,\"weaknesses\":[\"CWE-89\"]}"