What is CVE-2022-28346?

CVE-2022-28346 refers to a SQL injection vulnerability in the Django package.

How severe is CVE-2022-28346?

CVE-2022-28346 is considered critical with a severity score of 9.8.

Which versions of Django are affected by CVE-2022-28346?

Django versions 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4 are affected by CVE-2022-28346.

How can I fix CVE-2022-28346?

To fix CVE-2022-28346, update Django to versions 2.2.28, 3.2.13, or 4.0.4 or later.

Where can I find more information about CVE-2022-28346?

You can find more information about CVE-2022-28346 in the official CVE record, NVD database, Django website, Bugzilla, and Red Hat Security Advisories.

Vulnerability/
CVE-2022-28346

critical

9.8

CWE

6/4/2022

11/4/2022

13/4/2022

5/9/2023

CVE-2022-28346: SQL Injection

First published: Wed Apr 06 2022(Updated: )

An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. `QuerySet.annotate()`, `aggregate()`, and `extra()` methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed `**kwargs`.

Credit: cve@mitre.org cve@mitre.org

Affected Software	Affected Version	How to fix
redhat/automation-controller	<0:4.1.2-2.el8a	0:4.1.2-2.el8a
redhat/python-django	<0:3.2.13-1.el8	0:3.2.13-1.el8
redhat/python3-django	<0:2.2.28-1.el7	0:2.2.28-1.el7
redhat/python3-django	<0:2.2.28-1.el8	0:2.2.28-1.el8
redhat/python-django20	<0:2.0.13-18.el8	0:2.0.13-18.el8
redhat/python-django20	<0:2.0.13-17.el8	0:2.0.13-17.el8
redhat/python-django	<0:3.2.13-2.el8	0:3.2.13-2.el8
redhat/python-pulpcore	<0:3.17.6-3.el8	0:3.17.6-3.el8
Djangoproject Django	>=2.2<2.2.28
Djangoproject Django	>=3.2<3.2.13
Djangoproject Django	>=4.0<4.0.4
Debian Debian Linux	=9.0
Debian Debian Linux	=11.0
pip/Django	>=4.0<4.0.4	4.0.4
pip/Django	>=3.2<3.2.13	3.2.13
pip/Django	>=2.2<2.2.28	2.2.28
debian/2:3.2.12-2
debian/1:1.10.7-2+deb9u15
debian/2:2.2.26-1~deb11u1
debian/python-django	<=1:1.11.29-1~deb10u1	1:1.11.29-1+deb10u10 2:2.2.28-1~deb11u2 3:3.2.19-1+deb12u1 3:3.2.21-1 3:4.2.8-1

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

What is CVE-2022-28346?
CVE-2022-28346 refers to a SQL injection vulnerability in the Django package.
How severe is CVE-2022-28346?
CVE-2022-28346 is considered critical with a severity score of 9.8.
Which versions of Django are affected by CVE-2022-28346?
Django versions 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4 are affected by CVE-2022-28346.
How can I fix CVE-2022-28346?
To fix CVE-2022-28346, update Django to versions 2.2.28, 3.2.13, or 4.0.4 or later.
Where can I find more information about CVE-2022-28346?
You can find more information about CVE-2022-28346 in the official CVE record, NVD database, Django website, Bugzilla, and Red Hat Security Advisories.

agent/author
agent/description
agent/event
agent/first-publish-date
agent/last-modified-date
agent/references
agent/remedy
agent/severity
agent/softwarecombine
agent/tags
agent/type
agent/weakness
collector/debian-bugs
alias/CVE-2022-28346
collector/github-advisory
alias/GHSA-2gwj-7jmv-h26r
collector/github-advisory-latest
collector/nvd-cve
collector/nvd-index
collector/redhat-bugzilla
source/Red Hat
agent/software-canonical-lookup
collector/redhat-cve
collector/security-tracker-debian
package-manager/debian
package-manager/pip
vendor/djangoproject
canonical/djangoproject django
version/djangoproject django/2.2
version/djangoproject django/3.2
version/djangoproject django/4.0
vendor/debian
canonical/debian debian linux
version/debian debian linux/9.0
version/debian debian linux/11.0
package-manager/redhat