Bug 2072459 (CVE-2022-28347)
| Summary: | CVE-2022-28347 Django: SQL injection via QuerySet.explain(options) on PostgreSQL | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Vipul Nair <vinair> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | amctagga, aoconnor, apevec, bazanluis20, bbuckingham, bcoca, bcourt, bkearney, bniver, btotty, chousekn, cmeyers, cqi, crosa, davidn, eglynn, ehelms, extras-orphan, flucifre, gblomqui, gmeno, jcammara, jhardy, jjoyce, jobarker, jonathansteffan, jsherril, jvisser, jwong, kaycoth, kshier, lhh, lzap, mabashia, mbenjamin, mburns, mhackett, mhulan, mkrizek, mrunge, myarboro, ngompa13, nmoumoul, notting, orabin, osapryki, pbrobinson, pcreech, piotr1212, rchan, rdopiera, relrod, rhos-maint, rpetrell, sdoran, security-response-team, smcdonal, sostapov, spower, tkuratom, tmeszaro, vereddy, ytale |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Django 4.0.4, Django 3.2.13, Django 2.2.28 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in the Django package, leading to a SQL injection. This flaw allows an attacker using a crafted dictionary containing malicious SQL queries to compromise the database completely.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-08-30 12:25:55 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2074868, 2074870, 2074873, 2074875, 2074877, 2074880, 2074882, 2074883, 2074884, 2074885, 2074904, 2074905, 2074906, 2074908, 2074909, 2074910, 2074911, 2074912, 2074913, 2074914, 2074969, 2074970, 2074971, 2074972, 2074973, 2074974, 2074975, 2074976, 2074977, 2074978, 2074979, 2074980, 2075664, 2075665, 2075922, 2075923, 2075924, 2076568, 2076569, 2076570, 2085188, 2102713, 2102714, 2102715 | ||
| Bug Blocks: | 2072463 | ||
|
Description
Vipul Nair
2022-04-06 11:12:57 UTC
Created autotest-framework tracking bugs for this issue: Affects: epel-all [bug 2074870] Created graphite-web tracking bugs for this issue: Affects: epel-all [bug 2074873] Created netbox tracking bugs for this issue: Affects: epel-all [bug 2074868] Affects: fedora-all [bug 2074882] Created python-django-ajax-selects tracking bugs for this issue: Affects: epel-all [bug 2074875] Created python-django-helpdesk tracking bugs for this issue: Affects: epel-all [bug 2074877] Created python-django-nose tracking bugs for this issue: Affects: fedora-all [bug 2074883] Created python-django-uuslug tracking bugs for this issue: Affects: fedora-all [bug 2074884] Created zezere tracking bugs for this issue: Affects: epel-all [bug 2074880] Affects: fedora-all [bug 2074885] This issue has been addressed in the following products: Red Hat Satellite 6.11 for RHEL 7 Red Hat Satellite 6.11 for RHEL 8 Via RHSA-2022:5498 https://access.redhat.com/errata/RHSA-2022:5498 This issue has been addressed in the following products: RHUI 4 for RHEL 8 Via RHSA-2022:5602 https://access.redhat.com/errata/RHSA-2022:5602 This issue has been addressed in the following products: Red Hat Ansible Automation Platform 2.1 for RHEL 8 Via RHSA-2022:5702 https://access.redhat.com/errata/RHSA-2022:5702 This issue has been addressed in the following products: Red Hat Automation Hub 4.2 for RHEL 8 Red Hat Automation Hub 4.2 for RHEL 7 Via RHSA-2022:5703 https://access.redhat.com/errata/RHSA-2022:5703 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-28347 |