Search for vulnerabilities
Vulnerability details: VCID-3hnw-g9hf-aaap
Vulnerability ID VCID-3hnw-g9hf-aaap
Aliases BIT-2022-34265
BIT-django-2022-34265
CVE-2022-34265
GHSA-p64x-8rxx-wf6q
PYSEC-2022-213
Summary An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.
Status Published
Exploitability 2.0
Weighted Severity 9.0
Risk 10.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
rhas Important https://access.redhat.com/errata/RHSA-2022:5738
cvssv3 9.8 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-34265.json
epss 0.13822 https://api.first.org/data/v1/epss?cve=CVE-2022-34265
epss 0.15147 https://api.first.org/data/v1/epss?cve=CVE-2022-34265
epss 0.15147 https://api.first.org/data/v1/epss?cve=CVE-2022-34265
epss 0.15147 https://api.first.org/data/v1/epss?cve=CVE-2022-34265
epss 0.15586 https://api.first.org/data/v1/epss?cve=CVE-2022-34265
epss 0.16355 https://api.first.org/data/v1/epss?cve=CVE-2022-34265
epss 0.16355 https://api.first.org/data/v1/epss?cve=CVE-2022-34265
epss 0.16355 https://api.first.org/data/v1/epss?cve=CVE-2022-34265
epss 0.16355 https://api.first.org/data/v1/epss?cve=CVE-2022-34265
epss 0.16355 https://api.first.org/data/v1/epss?cve=CVE-2022-34265
epss 0.16355 https://api.first.org/data/v1/epss?cve=CVE-2022-34265
epss 0.16355 https://api.first.org/data/v1/epss?cve=CVE-2022-34265
epss 0.17617 https://api.first.org/data/v1/epss?cve=CVE-2022-34265
epss 0.17617 https://api.first.org/data/v1/epss?cve=CVE-2022-34265
epss 0.17617 https://api.first.org/data/v1/epss?cve=CVE-2022-34265
epss 0.17617 https://api.first.org/data/v1/epss?cve=CVE-2022-34265
epss 0.92493 https://api.first.org/data/v1/epss?cve=CVE-2022-34265
epss 0.92493 https://api.first.org/data/v1/epss?cve=CVE-2022-34265
epss 0.92525 https://api.first.org/data/v1/epss?cve=CVE-2022-34265
epss 0.92525 https://api.first.org/data/v1/epss?cve=CVE-2022-34265
epss 0.92525 https://api.first.org/data/v1/epss?cve=CVE-2022-34265
epss 0.92539 https://api.first.org/data/v1/epss?cve=CVE-2022-34265
epss 0.92539 https://api.first.org/data/v1/epss?cve=CVE-2022-34265
epss 0.92539 https://api.first.org/data/v1/epss?cve=CVE-2022-34265
epss 0.92539 https://api.first.org/data/v1/epss?cve=CVE-2022-34265
epss 0.92539 https://api.first.org/data/v1/epss?cve=CVE-2022-34265
epss 0.92539 https://api.first.org/data/v1/epss?cve=CVE-2022-34265
epss 0.92539 https://api.first.org/data/v1/epss?cve=CVE-2022-34265
epss 0.92741 https://api.first.org/data/v1/epss?cve=CVE-2022-34265
epss 0.93085 https://api.first.org/data/v1/epss?cve=CVE-2022-34265
epss 0.93085 https://api.first.org/data/v1/epss?cve=CVE-2022-34265
epss 0.93085 https://api.first.org/data/v1/epss?cve=CVE-2022-34265
epss 0.93085 https://api.first.org/data/v1/epss?cve=CVE-2022-34265
epss 0.93085 https://api.first.org/data/v1/epss?cve=CVE-2022-34265
epss 0.93085 https://api.first.org/data/v1/epss?cve=CVE-2022-34265
epss 0.93196 https://api.first.org/data/v1/epss?cve=CVE-2022-34265
epss 0.93196 https://api.first.org/data/v1/epss?cve=CVE-2022-34265
epss 0.93196 https://api.first.org/data/v1/epss?cve=CVE-2022-34265
epss 0.93196 https://api.first.org/data/v1/epss?cve=CVE-2022-34265
epss 0.93196 https://api.first.org/data/v1/epss?cve=CVE-2022-34265
epss 0.93196 https://api.first.org/data/v1/epss?cve=CVE-2022-34265
epss 0.93196 https://api.first.org/data/v1/epss?cve=CVE-2022-34265
epss 0.93196 https://api.first.org/data/v1/epss?cve=CVE-2022-34265
epss 0.93196 https://api.first.org/data/v1/epss?cve=CVE-2022-34265
epss 0.93196 https://api.first.org/data/v1/epss?cve=CVE-2022-34265
epss 0.93278 https://api.first.org/data/v1/epss?cve=CVE-2022-34265
rhbs high https://bugzilla.redhat.com/show_bug.cgi?id=2102896
cvssv3.1 7.5 https://docs.djangoproject.com/en/4.0/releases/security
generic_textual HIGH https://docs.djangoproject.com/en/4.0/releases/security
cvssv3.1 8.1 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1 9.8 https://github.com/advisories/GHSA-p64x-8rxx-wf6q
cvssv3.1_qr CRITICAL https://github.com/advisories/GHSA-p64x-8rxx-wf6q
generic_textual CRITICAL https://github.com/advisories/GHSA-p64x-8rxx-wf6q
cvssv3.1 3.7 https://github.com/django/django
generic_textual MODERATE https://github.com/django/django
cvssv3.1 9.8 https://github.com/django/django/commit/0dc9c016fadb71a067e5a42be30164e3f96c0492
generic_textual CRITICAL https://github.com/django/django/commit/0dc9c016fadb71a067e5a42be30164e3f96c0492
cvssv3.1 9.8 https://github.com/django/django/commit/5e2f4ddf2940704a26a4ac782b851989668d74db
generic_textual CRITICAL https://github.com/django/django/commit/5e2f4ddf2940704a26a4ac782b851989668d74db
cvssv3.1 9.8 https://github.com/django/django/commit/877c800f255ccaa7abde1fb944de45d1616f5cc9
generic_textual CRITICAL https://github.com/django/django/commit/877c800f255ccaa7abde1fb944de45d1616f5cc9
cvssv3.1 9.8 https://github.com/django/django/commit/a9010fe5555e6086a9d9ae50069579400ef0685e
generic_textual CRITICAL https://github.com/django/django/commit/a9010fe5555e6086a9d9ae50069579400ef0685e
cvssv3.1 9.8 https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2022-213.yaml
generic_textual CRITICAL https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2022-213.yaml
cvssv3.1 3.7 https://groups.google.com/forum/#%21forum/django-announce
generic_textual MODERATE https://groups.google.com/forum/#%21forum/django-announce
cvssv3.1 7.5 https://groups.google.com/forum/#!forum/django-announce
generic_textual HIGH https://groups.google.com/forum/#!forum/django-announce
cvssv3.1 7.5 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK
generic_textual HIGH https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK
cvssv3.1 7.5 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI
generic_textual HIGH https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI
cvssv2 7.5 https://nvd.nist.gov/vuln/detail/CVE-2022-34265
cvssv3 9.8 https://nvd.nist.gov/vuln/detail/CVE-2022-34265
cvssv3.1 9.8 https://nvd.nist.gov/vuln/detail/CVE-2022-34265
archlinux High https://security.archlinux.org/AVG-2788
cvssv3.1 9.8 https://security.netapp.com/advisory/ntap-20220818-0006
generic_textual CRITICAL https://security.netapp.com/advisory/ntap-20220818-0006
cvssv3.1 8.8 https://www.debian.org/security/2022/dsa-5254
generic_textual HIGH https://www.debian.org/security/2022/dsa-5254
cvssv3.1 9.8 https://www.djangoproject.com/weblog/2022/jul/04/security-releases
generic_textual CRITICAL https://www.djangoproject.com/weblog/2022/jul/04/security-releases
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-34265.json
https://api.first.org/data/v1/epss?cve=CVE-2022-34265
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22818
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23833
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28346
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28347
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34265
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36359
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41323
https://docs.djangoproject.com/en/4.0/releases/security
https://docs.djangoproject.com/en/4.0/releases/security/
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/advisories/GHSA-p64x-8rxx-wf6q
https://github.com/django/django
https://github.com/django/django/commit/0dc9c016fadb71a067e5a42be30164e3f96c0492
https://github.com/django/django/commit/5e2f4ddf2940704a26a4ac782b851989668d74db
https://github.com/django/django/commit/877c800f255ccaa7abde1fb944de45d1616f5cc9
https://github.com/django/django/commit/a9010fe5555e6086a9d9ae50069579400ef0685e
https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2022-213.yaml
https://groups.google.com/forum/#%21forum/django-announce
https://groups.google.com/forum/#!forum/django-announce
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/
https://security.netapp.com/advisory/ntap-20220818-0006
https://security.netapp.com/advisory/ntap-20220818-0006/
https://www.debian.org/security/2022/dsa-5254
https://www.djangoproject.com/weblog/2022/jul/04/security-releases
https://www.djangoproject.com/weblog/2022/jul/04/security-releases/
1014541 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014541
2102896 https://bugzilla.redhat.com/show_bug.cgi?id=2102896
AVG-2788 https://security.archlinux.org/AVG-2788
cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*
CVE-2022-34265 https://nvd.nist.gov/vuln/detail/CVE-2022-34265
RHSA-2022:5738 https://access.redhat.com/errata/RHSA-2022:5738
RHSA-2022:8506 https://access.redhat.com/errata/RHSA-2022:8506
USN-5501-1 https://usn.ubuntu.com/5501-1/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-34265.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://docs.djangoproject.com/en/4.0/releases/security
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/advisories/GHSA-p64x-8rxx-wf6q
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/django/django
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/django/django/commit/0dc9c016fadb71a067e5a42be30164e3f96c0492
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/django/django/commit/5e2f4ddf2940704a26a4ac782b851989668d74db
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/django/django/commit/877c800f255ccaa7abde1fb944de45d1616f5cc9
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/django/django/commit/a9010fe5555e6086a9d9ae50069579400ef0685e
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2022-213.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://groups.google.com/forum/#%21forum/django-announce
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://groups.google.com/forum/#!forum/django-announce
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P Found at https://nvd.nist.gov/vuln/detail/CVE-2022-34265
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2022-34265
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2022-34265
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://security.netapp.com/advisory/ntap-20220818-0006
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://www.debian.org/security/2022/dsa-5254
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://www.djangoproject.com/weblog/2022/jul/04/security-releases
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.95788
EPSS Score 0.13822
Published At Nov. 1, 2024, midnight
Date Actor Action Source VulnerableCode Version
There are no relevant records.