9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-28347

GHSA ID

GHSA-w24h-v9qh-8gxj

EPSS Score

0.73597%

CWE

CWE-89

Published

4/13/2022

Updated

9/20/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-28347

CVE-2022-28347: SQL Injection in Django

A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the **options argument, and placing the injection payload in an option name.

(GitHub Advisory)

9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-28347

GHSA ID

GHSA-w24h-v9qh-8gxj

EPSS Score

0.73597%

CWE

CWE-89

Published

4/13/2022

Updated

9/20/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
Django	pip	>= 2.2, < 2.2.28	2.2.28
Django	pip	>= 3.2, < 3.2.13	3.2.13
Django	pip	>= 4.0, < 4.0.4	4.0.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from two key points:

QuerySet.explain() lacked validation for option names in **options parameters, allowing attackers to inject SQL through dictionary keys
The PostgreSQL explain_query_prefix implementation expanded options directly into the SQL query without proper whitelisting/validation

The patch added:

Regex validation (EXPLAIN_OPTIONS_PATTERN) in Query.explain()
Option normalization and allow-list checking in PostgreSQL's explain_query_prefix
Removal of the 'validates_explain_options' flag that previously disabled validation These changes confirm the vulnerable code paths were in these specific functions handling option processing for EXPLAIN queries.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* SQL inj**tion issu* w*s *is*ov*r** in `Qu*ryS*t.*xpl*in()` in *j*n*o *.* ***or* *.*.**, *.* ***or* *.*.**, *n* *.* ***or* *.*.*. T*is o**urs *y p*ssin* * *r**t** *i*tion*ry (wit* *i*tion*ry *xp*nsion) *s t** `**options` *r*um*nt, *n* pl**in* t** in

Reasoning

T** vuln*r**ility st*mm** *rom two k*y points: *. Qu*ryS*t.*xpl*in() l**k** v*li**tion *or option n*m*s in **options p*r*m*t*rs, *llowin* *tt**k*rs to inj**t SQL t*rou** *i*tion*ry k*ys *. T** Post*r*SQL *xpl*in_qu*ry_pr**ix impl*m*nt*tion *xp*n*** o

9.8

Basic Information

Concerned about an active attack path?

CVE-2022-28347: SQL Injection in Django

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI