Skip to main content

Public advisory of scammers impersonating CSA and the SPF

Stay vigilant. Read the public advisory

Cyber Security Agency of Singapore
  1. Home
  2. Alerts & Advisories
  3. Alerts
  4. SQL Injection Vulnerability in Django
Alerts

SQL Injection Vulnerability in Django

5 July 2022

The Django project, an open source Python-based web framework, has issued a security release to address a high severity vulnerability. This vulnerability, assigned as CVE-2022-34265, exists in Django's main branch, versions 4.1(beta), 4.0 and 3.2 . Due to this vulnerability, a threat actor can attack Django web applications by injecting malicious code via arguments provided to the Trunc() and Extract() database functions.

Django has released versions Django 4.0.6 and Django 3.2.14 that address this vulnerability and urges developers to upgrade their Django web applications as soon as possible.

If you are unable to upgrade to fixed Django versions 4.06 or 3.2.14, the team has also made patches available that can be applied to existing affected versions. The patches for affected versions can be found in the links below:
Main Branch
Django 4.1
Django 4.0
Django 3.2

References:
https://www.djangoproject.com/weblog/2022/jul/04/security-releases/
https://nvd.nist.gov/vuln/detail/CVE-2022-34265

Back to top