CVE-2022-28347 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	High
Remote	Yes
Type	Sql injection
Description	QuerySet.explain() method was subject to SQL injection in option names, using a suitably crafted dictionary, with dictionary expansion, as the **options argument.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-2667	python-django	4.0.3-1	4.0.4-1	High	Fixed

Date	Advisory	Group	Package	Severity	Type
12 Apr 2022	ASA-202204-9	AVG-2667	python-django	High	sql injection

References
https://www.djangoproject.com/weblog/2022/apr/11/security-releases/ https://github.com/django/django/commit/6723a26e59b0b5429a0c5873941e01a2e1bdbb81 https://github.com/django/django/commit/00b0fc50e1738c7174c495464a5ef069408a4402 https://github.com/django/django/commit/9e19accb6e0a00ba77d5a95a91675bf18877c72d https://github.com/django/django/commit/29a6c98b4c13af82064f993f0acc6e8fafa4d3f5

References

https://www.djangoproject.com/weblog/2022/apr/11/security-releases/
https://github.com/django/django/commit/6723a26e59b0b5429a0c5873941e01a2e1bdbb81
https://github.com/django/django/commit/00b0fc50e1738c7174c495464a5ef069408a4402
https://github.com/django/django/commit/9e19accb6e0a00ba77d5a95a91675bf18877c72d 
https://github.com/django/django/commit/29a6c98b4c13af82064f993f0acc6e8fafa4d3f5