FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Django -- multiple vulnerabilities

Affected packages
py310-django22 < 2.2.28
py37-django22 < 2.2.28
py38-django22 < 2.2.28
py39-django22 < 2.2.28
py310-django32 < 3.2.13
py37-django32 < 3.2.13
py38-django32 < 3.2.13
py39-django32 < 3.2.13
py310-django40 < 4.0.4
py38-django40 < 4.0.4
py39-django40 < 4.0.4

Details

VuXML ID 0db46f84-b9fa-11ec-89df-080027240888
Discovery 2022-04-02
Entry 2022-04-12

Django Release reports:

CVE-2022-28346: Potential SQL injection in QuerySet.annotate(), aggregate(), and extra().

CVE-2022-28347: Potential SQL injection via QuerySet.explain(**options) on PostgreSQL.

References

CVE Name CVE-2022-28346
CVE Name CVE-2022-28347
URL https://www.djangoproject.com/weblog/2022/apr/11/security-releases/