CVE-2022-28346 – This SQL injection vulnerability in Django allo... (How to Fix)

📋 TL;DR

This SQL injection vulnerability in Django allows attackers to execute arbitrary SQL commands through crafted dictionary parameters in QuerySet methods. It affects Django applications using annotate(), aggregate(), or extra() methods with dictionary expansion. All Django deployments using vulnerable versions are affected.

💻 Affected Systems

Products:

Django

Versions: Django 2.2 before 2.2.28, 3.2 before 3.2.13, 4.0 before 4.0.4

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using QuerySet.annotate(), aggregate(), or extra() methods with dictionary expansion (**kwargs).

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full database compromise including data theft, modification, deletion, and potential remote code execution via database functions.

🟠

Likely Case

Data exfiltration, privilege escalation, and application compromise through SQL injection.

🟢

If Mitigated

Limited impact with proper input validation and database user privilege restrictions.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires attacker to control dictionary parameters passed to vulnerable methods. Public proof-of-concept exists in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Django 2.2.28, 3.2.13, 4.0.4

Vendor Advisory: https://docs.djangoproject.com/en/4.0/releases/security/

Restart Required: Yes

Instructions:

1. Identify Django version: python -m django --version
2. Upgrade to patched version: pip install Django==2.2.28 OR Django==3.2.13 OR Django==4.0.4
3. Restart all Django processes and web servers
4. Test application functionality

🔧 Temporary Workarounds

Input Validation Wrapper

all

Create wrapper functions that validate dictionary keys before passing to vulnerable methods

# Python code to validate dictionary keys
# Ensure keys contain only alphanumeric characters and underscores
import re

def safe_annotate(queryset, **kwargs):
    for key in kwargs.keys():
        if not re.match(r'^[a-zA-Z_][a-zA-Z0-9_]*$', key):
            raise ValueError(f'Invalid alias: {key}')
    return queryset.annotate(**kwargs)

🧯 If You Can't Patch

Implement strict input validation for all dictionary parameters passed to QuerySet methods
Apply database-level controls: use minimal privilege database users, enable query logging, implement WAF rules

🔍 How to Verify

Check if Vulnerable:

Check Django version: python -m django --version. If version is 2.2.x < 2.2.28, 3.2.x < 3.2.13, or 4.0.x < 4.0.4, system is vulnerable.

Check Version:

python -m django --version

Verify Fix Applied:

After upgrade, verify version shows patched version (2.2.28, 3.2.13, or 4.0.4). Test application functionality with known safe inputs.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in Django logs
Database error logs showing malformed SQL
Unexpected database operations

Network Indicators:

Unusual database connection patterns
Large data transfers from database

SIEM Query:

source="django.log" AND ("annotate" OR "aggregate" OR "extra") AND error OR source="database.log" AND sql_injection

📊 Metadata

CVE ID: CVE-2022-28346

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: April 12, 2022

Last Updated: November 21, 2024

🔗 References

http://www.openwall.com/lists/oss-security/2022/04/11/1 Mailing List,Patch,Third Party Advisory
https://docs.djangoproject.com/en/4.0/releases/security/ Patch,Vendor Advisory
https://groups.google.com/forum/#%21forum/django-announce
https://lists.debian.org/debian-lts-announce/2022/04/msg00013.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/
https://security.netapp.com/advisory/ntap-20220609-0002/ Third Party Advisory
https://www.debian.org/security/2022/dsa-5254 Third Party Advisory
https://www.djangoproject.com/weblog/2022/apr/11/security-releases/ Patch,Vendor Advisory
http://www.openwall.com/lists/oss-security/2022/04/11/1 Mailing List,Patch,Third Party Advisory
https://docs.djangoproject.com/en/4.0/releases/security/ Patch,Vendor Advisory
https://groups.google.com/forum/#%21forum/django-announce
https://lists.debian.org/debian-lts-announce/2022/04/msg00013.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI/
https://security.netapp.com/advisory/ntap-20220609-0002/ Third Party Advisory
https://www.debian.org/security/2022/dsa-5254 Third Party Advisory
https://www.djangoproject.com/weblog/2022/apr/11/security-releases/ Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-28346, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Debian Linux by Debian

Debian Linux by Debian

Django by Djangoproject

Django by Djangoproject

Django by Djangoproject

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Input Validation Wrapper

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities