Django project has announced the fix of a vulnerability that affects the 3.2 and 4.0 version branches.

The high-severity vulnerability allows deploying SQL injection attacks.

The team has released the patches for applying manually as well as complete new installers, which are available for download.

An open-source Python-based web framework, the Django project patched a vulnerability tracked as CVE-2022-34265. The vulnerability exists in the main branch and versions 3.2 and 4.0, as well as 4.1, which is currently in beta. The release of Django 4.0.6 and Django 3.2.14 addresses the security issue. The Django team urged users to apply the patch as soon as possible.

Mitigates SQL injection threat

The Django team stated that Trunc() and Extract() database functions could lead to a SQL injection when untrusted data was used as a kind/lookup_name value. The Django team said,

« Applications that constrain the lookup name and kind choice to a known safe list are unaffected. This security release mitigates the issue, but we have identified improvements to the Database API methods related to date extract and truncate that would be beneficial to add to Django 4.1 before its final release. This will impact 3rd party database backends using Django 4.1 release candidate 1 or newer until they are able to update to the API changes. We apologize for the inconvenience. »

Users who don’t want to completely update their Django to the latest version can manually apply patches to the affected version they use. You can use the following links to go to the update pages on GitHub:

You can also download the fixed versions for the 4.0 and 3.2 branches by following the links below:

Takuto Yoshikai, a researcher at Aeye Security Lab is credited for reporting the vulnerability.