Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2022-28347

CVE-2022-28347: Django QuerySet SQL Injection Vulnerability

CVE-2022-28347 is a SQL injection vulnerability in Django's QuerySet.explain() method affecting versions 2.2-4.0. Attackers can exploit this through crafted dictionary options. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2022-28347 Overview

A SQL injection vulnerability was discovered in Django's QuerySet.explain() method affecting Django versions 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This vulnerability allows attackers to inject malicious SQL code by passing a crafted dictionary (with dictionary expansion) as the **options argument and placing the injection payload within an option name.

Critical Impact

This SQL injection vulnerability enables unauthenticated remote attackers to execute arbitrary SQL commands against the database, potentially leading to complete database compromise, data theft, data manipulation, or denial of service.

Affected Products

  • Django 2.2 before 2.2.28
  • Django 3.2 before 3.2.13
  • Django 4.0 before 4.0.4
  • Debian Linux 11.0 (via packaged Django)

Discovery Timeline

  • 2022-04-11 - Security releases announced by Django Project
  • 2022-04-12 - CVE CVE-2022-28347 published to NVD
  • 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2022-28347

Vulnerability Analysis

The vulnerability resides in Django's QuerySet.explain() method, which is designed to provide database query execution plans for debugging and optimization purposes. The flaw occurs due to insufficient input validation when processing the **options keyword arguments passed to the method.

When developers use dictionary expansion (**) to pass options to explain(), the option names themselves are not properly sanitized before being incorporated into the SQL query. This allows an attacker who can control the dictionary keys to inject arbitrary SQL syntax through the option name parameter, bypassing the framework's normal query parameterization protections.

The vulnerability is particularly dangerous because SQL injection through option names is an unconventional attack vector that may not be anticipated by developers following standard security practices. Unlike typical SQL injection through query values, this attack exploits the structural elements of the query construction.

Root Cause

The root cause is CWE-89: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection). The QuerySet.explain() method fails to properly sanitize or escape option names before incorporating them into the generated SQL statement. When dictionary expansion is used to pass options, the keys of the dictionary are directly interpolated into the SQL query without adequate validation, allowing malicious SQL code embedded in option names to be executed.

Attack Vector

The attack is network-accessible and can be executed remotely without authentication. An attacker can exploit this vulnerability by manipulating input that eventually gets passed as dictionary keys to the explain() method. The exploitation requires:

  1. An application endpoint that calls QuerySet.explain() with user-controlled options
  2. The ability to influence the dictionary keys passed via **options expansion
  3. Crafting option names containing SQL injection payloads

The injection payload is placed within the option name itself, not the option value, which is an atypical SQL injection pattern. This attack vector requires low complexity and no user interaction, making it highly exploitable in vulnerable configurations.

Detection Methods for CVE-2022-28347

Indicators of Compromise

  • Unusual database query patterns containing SQL syntax within EXPLAIN statement option fields
  • Error logs showing malformed EXPLAIN queries with suspicious option names
  • Database audit logs revealing unauthorized data access or modification operations
  • Web application logs showing requests with dictionary-like structures containing SQL keywords

Detection Strategies

  • Monitor application logs for errors related to QuerySet.explain() calls with malformed parameters
  • Implement Web Application Firewall (WAF) rules to detect SQL injection patterns in request parameters
  • Deploy database query monitoring to identify anomalous EXPLAIN statements
  • Review Django application code for usage of explain() with user-controlled input

Monitoring Recommendations

  • Enable detailed Django logging for database queries in production environments
  • Configure database audit logging to capture all EXPLAIN statement executions
  • Set up alerting for SQL syntax errors that may indicate injection attempts
  • Monitor for unusual data access patterns that could indicate successful exploitation

How to Mitigate CVE-2022-28347

Immediate Actions Required

  • Upgrade Django to version 2.2.28, 3.2.13, or 4.0.4 or later immediately
  • Audit application code for any usage of QuerySet.explain() with user-controlled input
  • Review database logs for evidence of exploitation attempts
  • Apply the security updates available from your Linux distribution if using packaged Django

Patch Information

The Django Project released security patches on April 11, 2022, addressing this vulnerability across all supported branches. Updated versions include Django 2.2.28, 3.2.13, and 4.0.4. Security advisories and patch details are available through the Django Blog Security Release Update and Django 4.0 Security Release Notes. Debian users should apply the patch from Debian Security Advisory DSA-5254.

Workarounds

  • Remove or disable any application code that uses QuerySet.explain() with dynamic or user-controlled options until patching is complete
  • Implement strict input validation to ensure only predefined, safe option names can be passed to explain()
  • Use a Web Application Firewall to filter requests containing potential SQL injection patterns
  • Restrict access to debugging endpoints that may expose explain() functionality to untrusted users
bash
# Configuration example - Upgrade Django to patched version
pip install --upgrade Django>=4.0.4

# Verify installed version
python -c "import django; print(django.get_version())"

# For Debian/Ubuntu systems using packaged Django
sudo apt update && sudo apt upgrade python3-django

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.