Cyber Resilience

CVE-2022-34265

Critical

Published: 04 July 2022

Published
04 July 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9283 99.8th percentile
Risk Priority 75 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-34265 is a critical-severity SQL Injection (CWE-89) vulnerability in Djangoproject Django. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2022-34265 is a SQL injection vulnerability affecting the Trunc() and Extract() database functions in Django versions 3.2 before 3.2.14 and 4.0 before 4.0.6. The flaw arises when untrusted data is supplied as a kind or lookup_name argument; applications that restrict these values to a known-safe list are not impacted. It carries a CVSS 3.1 base score of 9.8 and is classified under CWE-89.

An unauthenticated remote attacker can supply a malicious lookup name or kind value through any application endpoint that passes user-controlled input directly to these functions. Successful exploitation allows arbitrary SQL execution, resulting in full compromise of confidentiality, integrity, and availability of the underlying database and potentially the Django application itself.

Official Django security releases and downstream advisories direct users to upgrade immediately to 3.2.14 or 4.0.6 (or later). The referenced announcements also include package updates for Fedora and NetApp products that embed the affected Django versions.

The associated EPSS score stands at 0.9283, indicating a high likelihood of exploitation in the wild.

EU & UK References

Vulnerability details

An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and…

more

kind choice to a known safe list are unaffected.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

djangoproject
django
3.2 — 3.2.14 · 4.0 — 4.0.6

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References