Security News > 2022 > July > Django fixes SQL Injection vulnerability in new releases
The Django project, an open source Python-based web framework has patched a high severity vulnerability in its latest releases.
Tracked as CVE-2022-34265, the potential SQL Injection vulnerability impacts Django's main branch, and versions 4.1, 4.0, and 3.2, with patches and new releases issued that squash the vulnerability.
Tens of thousands of websites, including some popular brands in the U.S. alone choose Django as their choice of Model-Template-View framework, according to some estimates.
Today, the Django team has released versions Django 4.0.6 and Django 3.2.14 that address a high-severity SQL injection vulnerability and is urging developers to upgrade or patch their Django instances as soon as possible.
Assigned CVE-2022-34265, the vulnerability can allow a threat actor to attack Django web applications via arguments provided to the Trunc(kind) and Extract(lookup name) functions.
"This security release mitigates the issue, but we have identified improvements to the Database API methods related to date extract and truncate that would be beneficial to add to Django 4.1 before [its] final release," further states Django team.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-07-04 | CVE-2022-34265 | SQL Injection vulnerability in Djangoproject Django An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. | 9.8 |