Django fixes SQL Injection vulnerability in new releases

by | Jul 5, 2022 | News

vulnerability SQLi Django

Post Views: 280

Premium Content

Patreon

Subscribe to Patreon to watch this episode.

 

Reading Time: 2 Minutes

The Django project, an open source Python-based web framework has patched a high severity vulnerability(SQLi) in its latest releases.

 

 

 

Tracked as CVE-2022-34265, the potential SQL Injection vulnerability exists in Django’s main branch, and versions 4.1 (currently in beta), 4.0, and 3.2. New releases and patches issued today squash the vulnerability.

Tens of thousands of websites, including some popular brands in the U.S. alone choose Django as their Model-Template-View framework, according to some estimates. This is why the need to upgrade or patch your Django instances against bugs like these is crucial.

 

New releases mitigate potential SQL Injection 

 

Today, the Django team has released versions Django 4.0.6 and Django 3.2.14 that address a high-severity SQL injection vulnerability and is urging developers to upgrade or patch their Django instances as soon as possible.

Assigned CVE-2022-34265, the vulnerability can allow a threat actor to attack Django web applications via arguments provided to the Trunc(kind) and Extract(lookup_name) functions.

“Trunc() and Extract() database functions were subject to SQL injection if untrusted data was used as a kind/lookup_name value,” states the advisory.

“Applications that constrain the lookup name and kind choice to a known safe list are unaffected.”

In other words, your application is not vulnerable if it is performing some kind of input sanitization or escaping before passing these arguments to the Trunc and Extract functions. 

Researcher Takuto Yoshikai of Aeye Security Lab has been credited with responsibly reporting the vulnerability.

 

 

See Also: So you want to be a hacker?
Complete Offensive Security and Ethical Hacking Course

 

 

 

Solutions

 

Patches also available

 

For those unable to upgrade to fixed Django versions 4.0.6 or 3.2.14, the team has made patches available that can be applied to existing affected versions.

Patches to resolve the issue have been applied to Django’s main branch and to the 4.1, 4.0, and 3.2 release branches. The patches may be obtained from the following changesets:

“This security release mitigates the issue, but we have identified improvements to the Database API methods related to date extract and truncate that would be beneficial to add to Django 4.1 before [its] final release,” further states Django team.

 
 
 
 
 

Trending: CISA warns of hackers exploiting PwnKit Linux vulnerability

 

 

 

 

Trending: Offensive Security Tool: Axiom

 

 

 

“This will impact 3rd party database backends using Django 4.1 release candidate 1 or newer, until they are able to update to the API changes. We apologize for the inconvenience.”

Django’s security policy states that any potential security issues be reported privately via email to [email protected], as opposed to using Django’s Trac instance or public mailing lists.

 

 

Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?

If you want to express your idea in an article contact us here for a quote: [email protected]

 

 

 

Trending: How do QR Codes work and how criminal hackers use them to generate phishing attacks – Demo

 

Source: bleepingcomputer.com

Source Link

 

 

 

 

 

Merch

Share This