diff options
| author | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2022-04-01 13:48:47 +0200 |
|---|---|---|
| committer | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2022-04-11 08:59:58 +0200 |
| commit | 6723a26e59b0b5429a0c5873941e01a2e1bdbb81 (patch) | |
| tree | 59bbe514736c482903de4d92046e9f58594680d3 /docs/releases/3.2.13.txt | |
| parent | 93cae5cb2f9a4ef1514cf1a41f714fef08005200 (diff) | |
Fixed CVE-2022-28347 -- Protected QuerySet.explain(**options) against SQL injection on PostgreSQL.
Diffstat (limited to 'docs/releases/3.2.13.txt')
| -rw-r--r-- | docs/releases/3.2.13.txt | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/docs/releases/3.2.13.txt b/docs/releases/3.2.13.txt index ee20aa2ca1..b7afbb8ed7 100644 --- a/docs/releases/3.2.13.txt +++ b/docs/releases/3.2.13.txt @@ -15,6 +15,13 @@ CVE-2022-28346: Potential SQL injection in ``QuerySet.annotate()``, ``aggregate( aliases, using a suitably crafted dictionary, with dictionary expansion, as the ``**kwargs`` passed to these methods. +CVE-2022-28347: Potential SQL injection via ``QuerySet.explain(**options)`` on PostgreSQL +========================================================================================= + +:meth:`.QuerySet.explain` method was subject to SQL injection in option names, +using a suitably crafted dictionary, with dictionary expansion, as the +``**options`` argument. + Bugfixes ======== |