[Debian] CVE: CVE-2022-41323/CVE-2022-34265/CVE-2022-28347/CVE-2022-28346/CVE-2022-23833: python3-django: multiple CVEs

Bug #1997198 reported by Yue Tao
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Medium
Yue Tao

Bug Description

CVE-2022-41323: [https://nvd.nist.gov/vuln/detail/CVE-2022-41323]
In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression.

CVE-2022-34265: [https://nvd.nist.gov/vuln/detail/CVE-2022-34265]
An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.

CVE-2022-28347: [https://nvd.nist.gov/vuln/detail/CVE-2022-28347]
A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the **options argument, and placing the injection payload in an option name.

CVE-2022-28346: [https://nvd.nist.gov/vuln/detail/CVE-2022-28346]
An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs.

CVE-2022-23833: [https://nvd.nist.gov/vuln/detail/CVE-2022-23833]
An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files.

Score:
cve_id status cvss3Score av ac pr ui ai
CVE-2022-41323 fixed 7.5 N L N N H
CVE-2022-34265 fixed 9.8 N L N N H
CVE-2022-28347 fixed 9.8 N L N N H
CVE-2022-28346 fixed 9.8 N L N N H
CVE-2022-23833 fixed 7.5 N L N N H

References:
https://security-tracker.debian.org/tracker/CVE-2022-41323
https://security-tracker.debian.org/tracker/CVE-2022-34265
https://security-tracker.debian.org/tracker/CVE-2022-28347
https://security-tracker.debian.org/tracker/CVE-2022-28346
https://security-tracker.debian.org/tracker/CVE-2022-23833

['python3-django_2:2.2.26-1~deb11u1_all.deb===>python3-django_2:2.2.28-1~deb11u1_all.deb']

Found during October 2022 CVE scan using vulscan

Yue Tao (wrytao)
information type: Public → Public Security
Changed in starlingx:
assignee: nobody → Yue Tao (wrytao)
status: New → Triaged
importance: Undecided → Medium
tags: added: stx.8.0 stx.security
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tools (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/tools/+/865235

Changed in starlingx:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tools (master)

Reviewed: https://review.opendev.org/c/starlingx/tools/+/865235
Committed: https://opendev.org/starlingx/tools/commit/7dcf9eb7c08489d728e49872493c5df656b2a073
Submitter: "Zuul (22348)"
Branch: master

commit 7dcf9eb7c08489d728e49872493c5df656b2a073
Author: Yue Tao <email address hidden>
Date: Tue Nov 22 15:23:33 2022 +0800

    Debian: python3-django: fix 5 CVEs

    Upgrade python3-django to 2:2.2.28-1~deb11u1 to fix 5 CVEs:

    CVE-2022-41323
    CVE-2022-34265
    CVE-2022-28347
    CVE-2022-28346
    CVE-2022-23833

    Refer to:
    https://security-tracker.debian.org/tracker/DSA-5254-1

    Test Plan:

    Pass: build all
    Pass: boot

    Closes-Bug: 1997198

    Signed-off-by: Yue Tao <email address hidden>
    Change-Id: Ib3da1cbbbb26e21d8d6214f44268dbe737905fb5

Changed in starlingx:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers