{"id":"USN-5373-2","summary":"python-django vulnerabilities","details":"USN-5373-1 fixed several vulnerabilities in Django. This update provides\nthe corresponding update for Ubuntu 14.04 ESM and Ubuntu 16.04 ESM.\n\nOriginal advisory details:\n\n It was discovered that Django incorrectly handled certain certain column\n aliases in the QuerySet.annotate(), aggregate(), and extra() methods. A\n remote attacker could possibly use this issue to perform an SQL injection\n attack. (CVE-2022-28346)\n\n It was discovered that the Django URLValidator function incorrectly handled\n newlines and tabs. A remote attacker could possibly use this issue to\n perform a header injection attack. (CVE-2021-32052)\n","modified":"2026-02-10T04:42:34Z","published":"2022-04-11T12:29:27Z","related":["UBUNTU-CVE-2021-32052","UBUNTU-CVE-2022-28346"],"upstream":["CVE-2021-32052","CVE-2022-28346","UBUNTU-CVE-2021-32052","UBUNTU-CVE-2022-28346"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-5373-2"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2021-32052"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2022-28346"}],"affected":[{"package":{"name":"python-django","ecosystem":"Ubuntu:Pro:14.04:LTS","purl":"pkg:deb/ubuntu/python-django@1.6.11-0ubuntu1.3+esm5?arch=source&distro=trusty/esm"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.6.11-0ubuntu1.3+esm5"}]}],"versions":["1.5.4-1ubuntu1","1.6-1","1.6.1-1","1.6.1-2","1.6.1-2ubuntu0.1","1.6.1-2ubuntu0.2","1.6.1-2ubuntu0.3","1.6.1-2ubuntu0.4","1.6.1-2ubuntu0.5","1.6.1-2ubuntu0.6","1.6.1-2ubuntu0.8","1.6.1-2ubuntu0.9","1.6.1-2ubuntu0.10","1.6.1-2ubuntu0.11","1.6.1-2ubuntu0.12","1.6.1-2ubuntu0.13","1.6.1-2ubuntu0.14","1.6.1-2ubuntu0.15","1.6.1-2ubuntu0.16","1.6.11-0ubuntu1","1.6.11-0ubuntu1.1","1.6.11-0ubuntu1.2","1.6.11-0ubuntu1.3","1.6.11-0ubuntu1.3+esm1","1.6.11-0ubuntu1.3+esm2","1.6.11-0ubuntu1.3+esm3","1.6.11-0ubuntu1.3+esm4"],"ecosystem_specific":{"availability":"Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro","binaries":[{"binary_name":"python-django","binary_version":"1.6.11-0ubuntu1.3+esm5"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-5373-2.json","cves_map":{"ecosystem":"Ubuntu:Pro:14.04:LTS","cves":[{"id":"CVE-2022-28346","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"high","type":"Ubuntu"}]}]}}},{"package":{"name":"python-django","ecosystem":"Ubuntu:Pro:16.04:LTS","purl":"pkg:deb/ubuntu/python-django@1.8.7-1ubuntu5.15+esm5?arch=source&distro=esm-infra/xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.8.7-1ubuntu5.15+esm5"}]}],"versions":["1.7.9-1ubuntu5","1.8.5-2ubuntu1","1.8.7-1ubuntu1","1.8.7-1ubuntu2","1.8.7-1ubuntu3","1.8.7-1ubuntu4","1.8.7-1ubuntu5","1.8.7-1ubuntu5.1","1.8.7-1ubuntu5.2","1.8.7-1ubuntu5.4","1.8.7-1ubuntu5.5","1.8.7-1ubuntu5.6","1.8.7-1ubuntu5.7","1.8.7-1ubuntu5.8","1.8.7-1ubuntu5.9","1.8.7-1ubuntu5.10","1.8.7-1ubuntu5.11","1.8.7-1ubuntu5.12","1.8.7-1ubuntu5.13","1.8.7-1ubuntu5.14","1.8.7-1ubuntu5.15","1.8.7-1ubuntu5.15+esm1","1.8.7-1ubuntu5.15+esm3","1.8.7-1ubuntu5.15+esm4"],"ecosystem_specific":{"availability":"Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro","binaries":[{"binary_name":"python-django","binary_version":"1.8.7-1ubuntu5.15+esm5"},{"binary_name":"python-django-common","binary_version":"1.8.7-1ubuntu5.15+esm5"},{"binary_name":"python3-django","binary_version":"1.8.7-1ubuntu5.15+esm5"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-5373-2.json","cves_map":{"ecosystem":"Ubuntu:Pro:16.04:LTS","cves":[{"id":"CVE-2022-28346","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"high","type":"Ubuntu"}]}]}}}],"schema_version":"1.7.3"}