CVE-2022-28347

Name of the Vulnerable Software and Affected Versions Django versions 2.2 through 2.2.27 Django versions 3.2 through 3.2.12 Django versions 4.0 through 4.0.3

Description A SQL injection issue was discovered in the QuerySet.explain() function. This occurs by passing a crafted dictionary as the **options argument, and placing the injection payload in an option name. The issue is related to the lack of protection of the SQL query structure, which may allow a remote attacker to impact the confidentiality, integrity, and availability of protected information.

Recommendations For Django versions 2.2 through 2.2.27, update to version 2.2.28 or later. For Django versions 3.2 through 3.2.12, update to version 3.2.13 or later. For Django versions 4.0 through 4.0.3, update to version 4.0.4 or later. As a temporary workaround, consider restricting the use of the QuerySet.explain() function until a patch is available. Avoid passing crafted dictionaries as the **options argument to minimize the risk of exploitation.