From 93cae5cb2f9a4ef1514cf1a41f714fef08005200 Mon Sep 17 00:00:00 2001 From: Mariusz Felisiak Date: Fri, 1 Apr 2022 08:10:22 +0200 Subject: Fixed CVE-2022-28346 -- Protected QuerySet.annotate(), aggregate(), and extra() against SQL injection in column aliases. Thanks Splunk team: Preston Elder, Jacob Davis, Jacob Moore, Matt Hanson, David Briggs, and a security researcher: Danylo Dmytriiev (DDV_UA) for the report. --- docs/releases/2.2.28.txt | 8 ++++++++ docs/releases/3.2.13.txt | 8 ++++++++ docs/releases/4.0.4.txt | 8 ++++++++ 3 files changed, 24 insertions(+) (limited to 'docs') diff --git a/docs/releases/2.2.28.txt b/docs/releases/2.2.28.txt index 0669e2d599..a894bddb3c 100644 --- a/docs/releases/2.2.28.txt +++ b/docs/releases/2.2.28.txt @@ -5,3 +5,11 @@ Django 2.2.28 release notes *April 11, 2022* Django 2.2.28 fixes two security issues with severity "high" in 2.2.27. + +CVE-2022-28346: Potential SQL injection in ``QuerySet.annotate()``, ``aggregate()``, and ``extra()`` +==================================================================================================== + +:meth:`.QuerySet.annotate`, :meth:`~.QuerySet.aggregate`, and +:meth:`~.QuerySet.extra` methods were subject to SQL injection in column +aliases, using a suitably crafted dictionary, with dictionary expansion, as the +``**kwargs`` passed to these methods. diff --git a/docs/releases/3.2.13.txt b/docs/releases/3.2.13.txt index c26a969f95..ee20aa2ca1 100644 --- a/docs/releases/3.2.13.txt +++ b/docs/releases/3.2.13.txt @@ -7,6 +7,14 @@ Django 3.2.13 release notes Django 3.2.13 fixes two security issues with severity "high" in 3.2.12 and a regression in 3.2.4. +CVE-2022-28346: Potential SQL injection in ``QuerySet.annotate()``, ``aggregate()``, and ``extra()`` +==================================================================================================== + +:meth:`.QuerySet.annotate`, :meth:`~.QuerySet.aggregate`, and +:meth:`~.QuerySet.extra` methods were subject to SQL injection in column +aliases, using a suitably crafted dictionary, with dictionary expansion, as the +``**kwargs`` passed to these methods. + Bugfixes ======== diff --git a/docs/releases/4.0.4.txt b/docs/releases/4.0.4.txt index 6873e78900..6c22788bd1 100644 --- a/docs/releases/4.0.4.txt +++ b/docs/releases/4.0.4.txt @@ -7,6 +7,14 @@ Django 4.0.4 release notes Django 4.0.4 fixes two security issues with severity "high" and two bugs in 4.0.3. +CVE-2022-28346: Potential SQL injection in ``QuerySet.annotate()``, ``aggregate()``, and ``extra()`` +==================================================================================================== + +:meth:`.QuerySet.annotate`, :meth:`~.QuerySet.aggregate`, and +:meth:`~.QuerySet.extra` methods were subject to SQL injection in column +aliases, using a suitably crafted dictionary, with dictionary expansion, as the +``**kwargs`` passed to these methods. + Bugfixes ======== -- cgit v1.3