Bug 2072447 (CVE-2022-28346)

Summary: CVE-2022-28346 Django: SQL injection in QuerySet.annotate(),aggregate() and extra()
Product: [Other] Security Response Reporter: Vipul Nair <vinair>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: amctagga, aoconnor, apevec, bazanluis20, bbuckingham, bcoca, bcourt, bkearney, bniver, btotty, chousekn, cmeyers, cqi, crosa, davidn, dzickus, eglynn, ehelms, extras-orphan, flucifre, gblomqui, gmeno, igor.raits, jcammara, jhardy, jjoyce, jobarker, jonathansteffan, jsherril, jvisser, jwong, kaycoth, kshier, lhh, lzap, mabashia, mbenjamin, mburns, mhackett, mhulan, mkrizek, mmccune, mrunge, myarboro, ngompa13, nmoumoul, notting, orabin, osapryki, pbrobinson, pcreech, piotr1212, rchan, rdopiera, relrod, rhos-maint, rpetrell, sdoran, security-response-team, smcdonal, sostapov, spower, tkuratom, tmeszaro, vereddy
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Django 4.0.4, Django 3.2.13, Django 2.2.28 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Django package, which leads to a SQL injection. This flaw allows an attacker using a crafted dictionary containing malicious SQL queries to compromise the database completely.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-06-22 21:06:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2074856, 2074857, 2074859, 2074860, 2074858, 2074861, 2074862, 2074863, 2074864, 2074865, 2074866, 2074867, 2074869, 2074871, 2074872, 2074874, 2074876, 2074878, 2074879, 2074881, 2074954, 2074955, 2074956, 2074957, 2074958, 2074959, 2074960, 2074961, 2074962, 2074963, 2074964, 2074965, 2075662, 2075663, 2075919, 2075920, 2075921, 2076571, 2076572, 2076573, 2085188, 2102716, 2102717, 2102718    
Bug Blocks: 2072463    

Description Vipul Nair 2022-04-06 10:47:30 UTC 
``QuerySet.annotate()`, ``aggregate()``, and ``extra()`` methods were
subject
to SQL injection in column aliases, using a suitably crafted dictionary,
with
dictionary expansion, as the ``**kwargs`` passed to these methods.

This issue has High severity, according to the Django security policy [1].
Comment 2 Vipul Nair 2022-04-13 09:27:11 UTC 
Created autotest-framework tracking bugs for this issue:

Affects: epel-all [bug 2074857]


Created graphite-web tracking bugs for this issue:

Affects: epel-all [bug 2074858]


Created netbox tracking bugs for this issue:

Affects: epel-all [bug 2074856]
Affects: fedora-all [bug 2074862]


Created python-django-ajax-selects tracking bugs for this issue:

Affects: epel-all [bug 2074859]


Created python-django-helpdesk tracking bugs for this issue:

Affects: epel-all [bug 2074860]


Created python-django-nose tracking bugs for this issue:

Affects: fedora-all [bug 2074863]


Created python-django-uuslug tracking bugs for this issue:

Affects: fedora-all [bug 2074864]


Created zezere tracking bugs for this issue:

Affects: epel-all [bug 2074861]
Affects: fedora-all [bug 2074865]
Comment 12 errata-xmlrpc 2022-06-22 16:06:11 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2022:5115 https://access.redhat.com/errata/RHSA-2022:5115
Comment 13 Product Security DevOps Team 2022-06-22 21:06:28 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-28346
Comment 17 errata-xmlrpc 2022-07-05 14:27:43 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.11 for RHEL 7
  Red Hat Satellite 6.11 for RHEL 8

Via RHSA-2022:5498 https://access.redhat.com/errata/RHSA-2022:5498
Comment 18 errata-xmlrpc 2022-07-19 13:03:33 UTC 
This issue has been addressed in the following products:

  RHUI 4 for RHEL 8

Via RHSA-2022:5602 https://access.redhat.com/errata/RHSA-2022:5602
Comment 19 errata-xmlrpc 2022-07-25 18:13:40 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.1 for RHEL 8

Via RHSA-2022:5702 https://access.redhat.com/errata/RHSA-2022:5702
Comment 20 errata-xmlrpc 2022-07-25 19:51:40 UTC 
This issue has been addressed in the following products:

  Red Hat Automation Hub 4.2 for RHEL 8
  Red Hat Automation Hub 4.2 for RHEL 7

Via RHSA-2022:5703 https://access.redhat.com/errata/RHSA-2022:5703
Comment 21 errata-xmlrpc 2022-12-07 20:27:25 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1

Via RHSA-2022:8872 https://access.redhat.com/errata/RHSA-2022:8872