Launchpad CVE tracker

CVE 2022-28346

An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs.

Related bugs and status

CVE-2022-28346 (Candidate) is related to these bugs:

Bug #1971314: Merge python-django from Debian unstable for kinetic

Summary				In	Importance	Status
	1971314	Merge python-django from Debian unstable for kinetic		python-django (Ubuntu)	Undecided	Fix Released

Bug #1997198: [Debian] CVE: CVE-2022-41323/CVE-2022-34265/CVE-2022-28347/CVE-2022-28346/CVE-2022-23833: python3-django: multiple CVEs

Summary				In	Importance	Status
	1997198	[Debian] CVE: CVE-2022-41323/CVE-2022-34265/CVE-2022-28347/CVE-2022-28346/CVE-2022-23833: python3-django: multiple CVEs		StarlingX	Medium	Fix Released

See the

CVE page on Mitre.org for more details.

Launchpad.net

CVE 2022-28346

References