Researcher released CVE-2022-34265 PoC for Django SQL Injection flaw

CVE-2022-34265 PoC (proof-of-concept) exploit code is about to be published for a vulnerability that allows an attacker to attack Django web applications. CVE-2022-34265 is a new high-severity vulnerability in the Django project and has been described as a potential SQL injection. The vulnerability has been reported by Takuto Yoshikai from Aeye Security Lab.

In Django’s main branch, versions 4.1 (currently in beta), 4.0, and 3.2, the vulnerability can allow a threat actor to attack Django web applications via arguments provided to the Trunc(kind) and Extract(lookup_name) arguments.

“Trunc() and Extract() database functions were subject to SQL injection if untrusted data was used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected,” the official advisory noted.

Recently, researcher @TakutoYoshikai publicly released on GitHub CVE-2022-34265 PoC exploit code for a Django SQL Injection bug. The researcher writes on the cve_writeup: “The Trunc function is used to truncate specific year, month, day, hour, minute, second, etc. portions of date and time data. In the above example, start_datetime and start_datetime with the payload portion truncated are the same record. This is where the SQL Injection vulnerability could be triggered.”

The Django team has released versions Django 4.0.6 and Django 3.2.14 that address a high-severity SQL injection vulnerability and is urging developers to upgrade or patch their Django instances as soon as possible. The team said: “This security release mitigates the issue, but we have identified improvements to the Database API methods related to date extract and truncate that would be beneficial to add to Django 4.1 before it’s final release. This will impact 3rd party database backends using Django 4.1 release candidate 1 or newer, until they are able to update to the API changes.“