Home
Packages
Forums
Wiki
GitLab
Security
AUR
Download

issues
advisories
todo
stats
log
login

CVE-2022-28346 - log back

CVE-2022-28346 edited at 12 Apr 2022 18:56:06

References

	https://www.djangoproject.com/weblog/2022/apr/11/security-releases/
+	https://github.com/django/django/commit/93cae5cb2f9a4ef1514cf1a41f714fef08005200
+	https://github.com/django/django/commit/800828887a0509ad1162d6d407e94d8de7eafc60
+	https://github.com/django/django/commit/2044dac5c6968441be6f534c4139bcf48c5c7e48
+	https://github.com/django/django/commit/2c09e68ec911919360d5f8502cefc312f9e03c5d

CVE-2022-28346 created at 12 Apr 2022 18:35:55

Severity

+

High

Remote

+

Remote

Type

+	Sql injection

Description

+	QuerySet.annotate(), aggregate(), and extra() methods were subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods.

References

+	https://www.djangoproject.com/weblog/2022/apr/11/security-releases/

Notes