``QuerySet.explain()`` method was subject to SQL injection in option names, using a suitably crafted dictionary, with dictionary expansion, as the ``**options`` argument. This issue has High severity, according to the Django security policy [1].
Created autotest-framework tracking bugs for this issue: Affects: epel-all [bug 2074870] Created graphite-web tracking bugs for this issue: Affects: epel-all [bug 2074873] Created netbox tracking bugs for this issue: Affects: epel-all [bug 2074868] Affects: fedora-all [bug 2074882] Created python-django-ajax-selects tracking bugs for this issue: Affects: epel-all [bug 2074875] Created python-django-helpdesk tracking bugs for this issue: Affects: epel-all [bug 2074877] Created python-django-nose tracking bugs for this issue: Affects: fedora-all [bug 2074883] Created python-django-uuslug tracking bugs for this issue: Affects: fedora-all [bug 2074884] Created zezere tracking bugs for this issue: Affects: epel-all [bug 2074880] Affects: fedora-all [bug 2074885]
This issue has been addressed in the following products: Red Hat Satellite 6.11 for RHEL 7 Red Hat Satellite 6.11 for RHEL 8 Via RHSA-2022:5498 https://access.redhat.com/errata/RHSA-2022:5498
This issue has been addressed in the following products: RHUI 4 for RHEL 8 Via RHSA-2022:5602 https://access.redhat.com/errata/RHSA-2022:5602
This issue has been addressed in the following products: Red Hat Ansible Automation Platform 2.1 for RHEL 8 Via RHSA-2022:5702 https://access.redhat.com/errata/RHSA-2022:5702
This issue has been addressed in the following products: Red Hat Automation Hub 4.2 for RHEL 8 Red Hat Automation Hub 4.2 for RHEL 7 Via RHSA-2022:5703 https://access.redhat.com/errata/RHSA-2022:5703
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-28347