CVE-2022-28346 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	High
Remote	Yes
Type	Sql injection
Description	QuerySet.annotate(), aggregate(), and extra() methods were subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-2667	python-django	4.0.3-1	4.0.4-1	High	Fixed

Date	Advisory	Group	Package	Severity	Type
12 Apr 2022	ASA-202204-9	AVG-2667	python-django	High	sql injection

References
https://www.djangoproject.com/weblog/2022/apr/11/security-releases/ https://github.com/django/django/commit/93cae5cb2f9a4ef1514cf1a41f714fef08005200 https://github.com/django/django/commit/800828887a0509ad1162d6d407e94d8de7eafc60 https://github.com/django/django/commit/2044dac5c6968441be6f534c4139bcf48c5c7e48 https://github.com/django/django/commit/2c09e68ec911919360d5f8502cefc312f9e03c5d

References

https://www.djangoproject.com/weblog/2022/apr/11/security-releases/
https://github.com/django/django/commit/93cae5cb2f9a4ef1514cf1a41f714fef08005200
https://github.com/django/django/commit/800828887a0509ad1162d6d407e94d8de7eafc60
https://github.com/django/django/commit/2044dac5c6968441be6f534c4139bcf48c5c7e48
https://github.com/django/django/commit/2c09e68ec911919360d5f8502cefc312f9e03c5d