An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2022:5738 advisory.

    Red Hat Update Infrastructure (RHUI) offers a highly scalable, highly redundant framework that enables you     to manage repositories and content. It also enables cloud providers to deliver content and updates to Red     Hat Enterprise Linux (RHEL) instances.

    Security Fix:
    * Django: Potential SQL injection via Trunc(kind) and Extract(lookup_name) arguments (CVE-2022-34265)

    For more details about the security issue(s), including the impact, a CVSS     score, acknowledgments, and other related information, refer to the CVE     page(s) listed in the References section.

    Users of RHUI are advised to upgrade to this updated package that fixes     this bug.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:8506 advisory.

    Red Hat Satellite is a systems management tool for Linux-based     infrastructure. It allows for provisioning, remote management, and     monitoring of multiple Linux deployments with a single centralized tool.

    Security Fix(es):
    * netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data (CVE-2021-37136)
    * netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an     unnecessary way (CVE-2021-37137)
    * python3-django: Possible XSS via template tag (CVE-2022-22818)
    * tfm-rubygem-nokogiri: ReDoS in HTML encoding detection (CVE-2022-24836)
    * tfm-rubygem-sinatra: Path traversal possible outside of public_dir when serving static files     (CVE-2022-29970)
    * tfm-rubygem-git: Package vulnerable to Command Injection via git argument injection (CVE-2022-25648)
    * rubygem-rails-html-sanitizer: Possible XSS with certain configurations (CVE-2022-32209)
    * python3-django: Potential SQL injection via Trunc and Extract arguments (CVE-2022-34265)

    For more details about the security issue(s), including the impact, a CVSS     score, acknowledgments, and other related information, refer to the CVE     page(s) listed in the References section.

    Additional Changes:

    The items above are not a complete list of changes. This update also fixes     several bugs and adds various enhancements. Documentation for these changes     is available from the Release Notes document.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Rocky Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2022:8506 advisory.

  - The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed     output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are     affected. The malicious input can trigger an OOME and so a DoS attack (CVE-2021-37136)

  - The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory     usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which     may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious     input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable     chunk. (CVE-2021-37137)

  - The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not     properly encode the current context. This may lead to XSS. (CVE-2022-22818)

  - Nokogiri is an open source XML and HTML library for Ruby. Nokogiri `< v1.13.4` contains an inefficient     regular expression that is susceptible to excessive backtracking when attempting to detect encoding in     HTML documents. Users are advised to upgrade to Nokogiri `>= 1.13.4`. There are no known workarounds for     this issue. (CVE-2022-24836)

  - The package git before 1.11.0 are vulnerable to Command Injection via git argument injection. When calling     the fetch(remote = 'origin', opts = {}) function, the remote parameter is passed to the git fetch     subcommand in a way that additional flags can be set. The additional flags can be used to perform a     command injection. (CVE-2022-25648)

  - Sinatra before 2.2.0 does not validate that the expanded path matches public_dir when serving static     files. (CVE-2022-29970)

  - # Possible XSS Vulnerability in Rails::Html::SanitizerThere is a possible XSS vulnerability with certain     configurations of Rails::Html::Sanitizer.This vulnerability has been assigned the CVE identifier     CVE-2022-32209.Versions Affected: ALLNot affected: NONEFixed Versions: v1.4.3## ImpactA possible XSS     vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject     content if the application developer has overridden the sanitizer's allowed tags to allow both `select`     and `style` elements.Code is only impacted if allowed tags are being overridden. This may be done via     application configuration:```ruby# In config/application.rbconfig.action_view.sanitized_allowed_tags =     [select, style]```see https://guides.rubyonrails.org/configuring.html#configuring-action-viewOr it may     be done with a `:tags` option to the Action View helper `sanitize`:```<%= sanitize @comment.body, tags:
    [select, style] %>```see     https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitizeOr it may be     done with Rails::Html::SafeListSanitizer directly:```ruby# class-level     optionRails::Html::SafeListSanitizer.allowed_tags = [select, style]```or```ruby# instance-level     optionRails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: [select, style])```All users     overriding the allowed tags by any of the above mechanisms to include both select and style should     either upgrade or use one of the workarounds immediately.## ReleasesThe FIXED releases are available at     the normal locations.## WorkaroundsRemove either `select` or `style` from the overridden allowed tags.##     CreditsThis vulnerability was responsibly reported by     [windshock](https://hackerone.com/windshock?type=user). (CVE-2022-32209)

  - An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract()     database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value.
    Applications that constrain the lookup name and kind choice to a known safe list are unaffected.
    (CVE-2022-34265)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 37 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2023-8fed428c5e advisory.

    Security fix for:

     - CVE-2023-24580
     - CVE-2023-23969
     - CVE-2022-41323
     - CVE-2022-36359
     - CVE-2022-34265
     - CVE-2022-28346
     - CVE-2022-28347

    https://docs.djangoproject.com/en/4.2/releases/4.0.3/     https://docs.djangoproject.com/en/4.2/releases/4.0.4/     https://docs.djangoproject.com/en/4.2/releases/4.0.5/     https://docs.djangoproject.com/en/4.2/releases/4.0.6/     https://docs.djangoproject.com/en/4.2/releases/4.0.7/     https://docs.djangoproject.com/en/4.2/releases/4.0.8/     https://docs.djangoproject.com/en/4.2/releases/4.0.9/     https://docs.djangoproject.com/en/4.2/releases/4.0.10/




Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 38 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2023-a53ab7c969 advisory.

    Security fix for:

     - CVE-2023-24580
     - CVE-2023-23969
     - CVE-2022-41323
     - CVE-2022-36359
     - CVE-2022-34265
     - CVE-2022-28346
     - CVE-2022-28347

    https://docs.djangoproject.com/en/4.2/releases/4.0.3/     https://docs.djangoproject.com/en/4.2/releases/4.0.4/     https://docs.djangoproject.com/en/4.2/releases/4.0.5/     https://docs.djangoproject.com/en/4.2/releases/4.0.6/     https://docs.djangoproject.com/en/4.2/releases/4.0.7/     https://docs.djangoproject.com/en/4.2/releases/4.0.8/     https://docs.djangoproject.com/en/4.2/releases/4.0.9/     https://docs.djangoproject.com/en/4.2/releases/4.0.10/

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3164 advisory.

  - An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python     3.7+ is used). FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not applied to intermediate-level directories     created in the process of uploading files. It was also not applied to intermediate-level collected static     directories when using the collectstatic management command. (CVE-2020-24583)

  - An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python     3.7+ is used). The intermediate-level directories of the filesystem cache had the system's standard umask     rather than 0o077. (CVE-2020-24584)

  - The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before     3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and     urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query     parameters using a semicolon (;), they can cause a difference in the interpretation of the request between     the proxy (running with default configuration) and the server. This can result in malicious requests being     cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and     therefore would not include it in a cache key of an unkeyed parameter. (CVE-2021-23336)

  - In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract     method (used by startapp --template and startproject --template) allows directory traversal via an     archive with absolute paths or relative paths with dot segments. (CVE-2021-3281)

  - An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract()     database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value.
    Applications that constrain the lookup name and kind choice to a known safe list are unaffected.
    (CVE-2022-34265)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5254 advisory.

  - The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not     properly encode the current context. This may lead to XSS. (CVE-2022-22818)

  - An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before     4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files.
    (CVE-2022-23833)

  - An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4.
    QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a     crafted dictionary (with dictionary expansion) as the passed **kwargs. (CVE-2022-28346)

  - A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13,     and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the
    **options argument, and placing the injection payload in an option name. (CVE-2022-28347)

  - An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract()     database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value.
    Applications that constrain the lookup name and kind choice to a known safe list are unaffected.
    (CVE-2022-34265)

  - An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7.
    An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition     header of a FileResponse when the filename is derived from user-supplied input. (CVE-2022-36359)

  - Django reports: CVE-2022-41323: Potential denial-of-service vulnerability in             internationalized     URLs. (CVE-2022-41323)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 18.04 LTS / 20.04 LTS / 22.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-5501-1 advisory.

    It was discovered that Django incorrectly handled certain SQL. An attacker could possibly use this issue     to expose sensitive information.

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 5be19b0d-fb85-11ec-95cd-080027b24e86 advisory.

  - SO-AND-SO reports: CVE-2022-34265: Potential SQL injection via Trunc(kind) and     Extract(lookup_name) arguments. (CVE-2022-34265)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
194266	RHEL 8 : Django 3.2.14 Security Update (Important) (RHSA-2022:5738)	Nessus	Red Hat Local Security Checks	critical
194188	RHEL 8 : Satellite 6.12 Release (Important) (RHSA-2022:8506)	Nessus	Red Hat Local Security Checks	critical
184617	Rocky Linux 8 : Satellite 6.12 Release (Important) (RLSA-2022:8506)	Nessus	Rocky Linux Local Security Checks	critical
174912	Fedora 37 : python-django (2023-8fed428c5e)	Nessus	Fedora Local Security Checks	critical
174911	Fedora 38 : python-django (2023-a53ab7c969)	Nessus	Fedora Local Security Checks	critical
166698	Debian DLA-3164-1 : python-django - LTS security update	Nessus	Debian Local Security Checks	critical
166158	Debian DSA-5254-1 : python-django - security update	Nessus	Debian Local Security Checks	critical
162702	Ubuntu 18.04 LTS / 20.04 LTS / 22.04 LTS : Django vulnerability (USN-5501-1)	Nessus	Ubuntu Local Security Checks	critical
162700	FreeBSD : Django -- multiple vulnerabilities (5be19b0d-fb85-11ec-95cd-080027b24e86)	Nessus	FreeBSD Local Security Checks	critical

Detections

Analytics

CVE-2022-34265

critical

Tenable Plugins

critical

critical

critical

critical

critical

critical

critical

critical

critical