CVE-2022-34265
Published: 04 July 2022
Summary
CVE-2022-34265 is a critical-severity SQL Injection (CWE-89) vulnerability in Djangoproject Django. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2022-34265 is a SQL injection vulnerability affecting the Trunc() and Extract() database functions in Django versions 3.2 before 3.2.14 and 4.0 before 4.0.6. The flaw arises when untrusted data is supplied as a kind or lookup_name argument; applications that restrict these values to a known-safe list are not impacted. It carries a CVSS 3.1 base score of 9.8 and is classified under CWE-89.
An unauthenticated remote attacker can supply a malicious lookup name or kind value through any application endpoint that passes user-controlled input directly to these functions. Successful exploitation allows arbitrary SQL execution, resulting in full compromise of confidentiality, integrity, and availability of the underlying database and potentially the Django application itself.
Official Django security releases and downstream advisories direct users to upgrade immediately to 3.2.14 or 4.0.6 (or later). The referenced announcements also include package updates for Fedora and NetApp products that embed the affected Django versions.
The associated EPSS score stands at 0.9283, indicating a high likelihood of exploitation in the wild.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-0091
Vulnerability details
An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and…
more
kind choice to a known safe list are unaffected.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.