{"id":"GHSA-p64x-8rxx-wf6q","summary":"Django `Trunc()` and `Extract()` database functions vulnerable to SQL Injection","details":"An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The `Trunc()` and `Extract()` database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.","aliases":["BIT-django-2022-34265","CVE-2022-34265","PYSEC-2022-213"],"modified":"2025-02-21T05:27:38.084922Z","published":"2022-07-05T00:00:53Z","database_specific":{"github_reviewed":true,"nvd_published_at":"2022-07-04T16:15:00Z","severity":"CRITICAL","github_reviewed_at":"2022-07-05T21:08:03Z","cwe_ids":["CWE-89"]},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-34265"},{"type":"WEB","url":"https://github.com/django/django/commit/0dc9c016fadb71a067e5a42be30164e3f96c0492"},{"type":"WEB","url":"https://github.com/django/django/commit/5e2f4ddf2940704a26a4ac782b851989668d74db"},{"type":"WEB","url":"https://github.com/django/django/commit/877c800f255ccaa7abde1fb944de45d1616f5cc9"},{"type":"WEB","url":"https://github.com/django/django/commit/a9010fe5555e6086a9d9ae50069579400ef0685e"},{"type":"WEB","url":"https://docs.djangoproject.com/en/4.0/releases/security"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-p64x-8rxx-wf6q"},{"type":"PACKAGE","url":"https://github.com/django/django"},{"type":"WEB","url":"https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2022-213.yaml"},{"type":"WEB","url":"https://groups.google.com/forum/#!forum/django-announce"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI"},{"type":"WEB","url":"https://security.netapp.com/advisory/ntap-20220818-0006"},{"type":"WEB","url":"https://www.debian.org/security/2022/dsa-5254"},{"type":"WEB","url":"https://www.djangoproject.com/weblog/2022/jul/04/security-releases"}],"affected":[{"package":{"name":"django","ecosystem":"PyPI","purl":"pkg:pypi/django"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"3.2a1"},{"fixed":"3.2.14"}]}],"versions":["3.2","3.2.1","3.2.10","3.2.11","3.2.12","3.2.13","3.2.2","3.2.3","3.2.4","3.2.5","3.2.6","3.2.7","3.2.8","3.2.9","3.2a1","3.2b1","3.2rc1"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-p64x-8rxx-wf6q/GHSA-p64x-8rxx-wf6q.json"}},{"package":{"name":"django","ecosystem":"PyPI","purl":"pkg:pypi/django"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"4.0a1"},{"fixed":"4.0.6"}]}],"versions":["4.0","4.0.1","4.0.2","4.0.3","4.0.4","4.0.5","4.0a1","4.0b1","4.0rc1"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-p64x-8rxx-wf6q/GHSA-p64x-8rxx-wf6q.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}]}