Risk | High |
Patch available | YES |
Number of vulnerabilities | 2 |
CVE-ID | CVE-2022-28346 CVE-2022-28347 |
CWE-ID | CWE-89 |
Exploitation vector | Network |
Public exploit | Public exploit code for vulnerability #1 is available. |
Vulnerable software Subscribe |
Arch Linux Operating systems & Components / Operating system |
Vendor | Arch Linux |
This security bulletin contains information about 2 vulnerabilities.
EUVDB-ID: #VU62050
Risk: High
CVSSv3.1:
CVE-ID: CVE-2022-28346
CWE-ID:
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data within the QuerySet.annotate(), aggregate(), and extra() methods. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
MitigationUpdate the affected package python-django to version 4.0.4-1.
Vulnerable software versionsArch Linux: All versions
http://security.archlinux.org/advisory/ASA-202204-9
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
EUVDB-ID: #VU62051
Risk: High
CVSSv3.1:
CVE-ID: CVE-2022-28347
CWE-ID:
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data within the QuerySet.explain() method. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
MitigationUpdate the affected package python-django to version 4.0.4-1.
Vulnerable software versionsArch Linux: All versions
http://security.archlinux.org/advisory/ASA-202204-9
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?