{"id":"MGASA-2022-0281","summary":"Updated python-django packages fix security vulnerability","details":"An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6.\nThe Trunc() and Extract() database functions are subject to SQL injection\nif untrusted data is used as a kind/lookup_name value. Applications that\nconstrain the lookup name and kind choice to a known safe list are\nunaffected. (CVE-2022-34265)\nAn issue was discovered in the HTTP FileResponse class in Django 3.2\nbefore 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a\nreflected file download (RFD) attack that sets the Content-Disposition\nheader of a FileResponse when the filename is derived from user-supplied\ninput. (CVE-2022-36359)\n","modified":"2026-02-04T03:04:35.458318Z","published":"2022-08-13T02:32:35Z","related":["CVE-2022-34265","CVE-2022-36359"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2022-0281.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=30603"},{"type":"REPORT","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-34265"},{"type":"REPORT","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-36359"},{"type":"REPORT","url":"https://www.djangoproject.com/weblog/2022/aug/03/security-releases/"}],"affected":[{"package":{"name":"python-django","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/python-django?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.2.15-1.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2022-0281.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}