Miggo Logo

CVE-2022-28347: SQL Injection in Django

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.73597%
Published
4/13/2022
Updated
9/20/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
Djangopip>= 2.2, < 2.2.282.2.28
Djangopip>= 3.2, < 3.2.133.2.13
Djangopip>= 4.0, < 4.0.44.0.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from two key points:

  1. QuerySet.explain() lacked validation for option names in **options parameters, allowing attackers to inject SQL through dictionary keys
  2. The PostgreSQL explain_query_prefix implementation expanded options directly into the SQL query without proper whitelisting/validation

The patch added:

  • Regex validation (EXPLAIN_OPTIONS_PATTERN) in Query.explain()
  • Option normalization and allow-list checking in PostgreSQL's explain_query_prefix
  • Removal of the 'validates_explain_options' flag that previously disabled validation These changes confirm the vulnerable code paths were in these specific functions handling option processing for EXPLAIN queries.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* SQL inj**tion issu* w*s *is*ov*r** in `Qu*ryS*t.*xpl*in()` in *j*n*o *.* ***or* *.*.**, *.* ***or* *.*.**, *n* *.* ***or* *.*.*. T*is o**urs *y p*ssin* * *r**t** *i*tion*ry (wit* *i*tion*ry *xp*nsion) *s t** `**options` *r*um*nt, *n* pl**in* t** in

Reasoning

T** vuln*r**ility st*mm** *rom two k*y points: *. Qu*ryS*t.*xpl*in() l**k** v*li**tion *or option n*m*s in **options p*r*m*t*rs, *llowin* *tt**k*rs to inj**t SQL t*rou** *i*tion*ry k*ys *. T** Post*r*SQL *xpl*in_qu*ry_pr**ix impl*m*nt*tion *xp*n*** o