CVE-2022-28347 Overview
A SQL injection vulnerability was discovered in Django's QuerySet.explain() method affecting Django versions 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This vulnerability allows attackers to inject malicious SQL code by passing a crafted dictionary (with dictionary expansion) as the **options argument and placing the injection payload within an option name.
Critical Impact
This SQL injection vulnerability enables unauthenticated remote attackers to execute arbitrary SQL commands against the database, potentially leading to complete database compromise, data theft, data manipulation, or denial of service.
Affected Products
- Django 2.2 before 2.2.28
- Django 3.2 before 3.2.13
- Django 4.0 before 4.0.4
- Debian Linux 11.0 (via packaged Django)
Discovery Timeline
- 2022-04-11 - Security releases announced by Django Project
- 2022-04-12 - CVE CVE-2022-28347 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-28347
Vulnerability Analysis
The vulnerability resides in Django's QuerySet.explain() method, which is designed to provide database query execution plans for debugging and optimization purposes. The flaw occurs due to insufficient input validation when processing the **options keyword arguments passed to the method.
When developers use dictionary expansion (**) to pass options to explain(), the option names themselves are not properly sanitized before being incorporated into the SQL query. This allows an attacker who can control the dictionary keys to inject arbitrary SQL syntax through the option name parameter, bypassing the framework's normal query parameterization protections.
The vulnerability is particularly dangerous because SQL injection through option names is an unconventional attack vector that may not be anticipated by developers following standard security practices. Unlike typical SQL injection through query values, this attack exploits the structural elements of the query construction.
Root Cause
The root cause is CWE-89: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection). The QuerySet.explain() method fails to properly sanitize or escape option names before incorporating them into the generated SQL statement. When dictionary expansion is used to pass options, the keys of the dictionary are directly interpolated into the SQL query without adequate validation, allowing malicious SQL code embedded in option names to be executed.
Attack Vector
The attack is network-accessible and can be executed remotely without authentication. An attacker can exploit this vulnerability by manipulating input that eventually gets passed as dictionary keys to the explain() method. The exploitation requires:
- An application endpoint that calls QuerySet.explain() with user-controlled options
- The ability to influence the dictionary keys passed via **options expansion
- Crafting option names containing SQL injection payloads
The injection payload is placed within the option name itself, not the option value, which is an atypical SQL injection pattern. This attack vector requires low complexity and no user interaction, making it highly exploitable in vulnerable configurations.
Detection Methods for CVE-2022-28347
Indicators of Compromise
- Unusual database query patterns containing SQL syntax within EXPLAIN statement option fields
- Error logs showing malformed EXPLAIN queries with suspicious option names
- Database audit logs revealing unauthorized data access or modification operations
- Web application logs showing requests with dictionary-like structures containing SQL keywords
Detection Strategies
- Monitor application logs for errors related to QuerySet.explain() calls with malformed parameters
- Implement Web Application Firewall (WAF) rules to detect SQL injection patterns in request parameters
- Deploy database query monitoring to identify anomalous EXPLAIN statements
- Review Django application code for usage of explain() with user-controlled input
Monitoring Recommendations
- Enable detailed Django logging for database queries in production environments
- Configure database audit logging to capture all EXPLAIN statement executions
- Set up alerting for SQL syntax errors that may indicate injection attempts
- Monitor for unusual data access patterns that could indicate successful exploitation
How to Mitigate CVE-2022-28347
Immediate Actions Required
- Upgrade Django to version 2.2.28, 3.2.13, or 4.0.4 or later immediately
- Audit application code for any usage of QuerySet.explain() with user-controlled input
- Review database logs for evidence of exploitation attempts
- Apply the security updates available from your Linux distribution if using packaged Django
Patch Information
The Django Project released security patches on April 11, 2022, addressing this vulnerability across all supported branches. Updated versions include Django 2.2.28, 3.2.13, and 4.0.4. Security advisories and patch details are available through the Django Blog Security Release Update and Django 4.0 Security Release Notes. Debian users should apply the patch from Debian Security Advisory DSA-5254.
Workarounds
- Remove or disable any application code that uses QuerySet.explain() with dynamic or user-controlled options until patching is complete
- Implement strict input validation to ensure only predefined, safe option names can be passed to explain()
- Use a Web Application Firewall to filter requests containing potential SQL injection patterns
- Restrict access to debugging endpoints that may expose explain() functionality to untrusted users
# Configuration example - Upgrade Django to patched version
pip install --upgrade Django>=4.0.4
# Verify installed version
python -c "import django; print(django.get_version())"
# For Debian/Ubuntu systems using packaged Django
sudo apt update && sudo apt upgrade python3-django
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
