Django 2.2.28 release notes

Donate 来源:Django 浏览 112 扫码分享 2023-12-18 08:41:12

Django 2.2.28 release notes
- CVE-2022-28346: Potential SQL injection in QuerySet.annotate(), aggregate(), and extra()
- CVE-2022-28347: Potential SQL injection via QuerySet.explain(**options) on PostgreSQL

Django 2.2.28 release notes

April 11, 2022

Django 2.2.28 fixes two security issues with severity “high” in 2.2.27.

CVE-2022-28346: Potential SQL injection in `QuerySet.annotate()`, `aggregate()`, and `extra()`

QuerySet.annotate(), aggregate(), and extra() methods were subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods.

CVE-2022-28347: Potential SQL injection via `QuerySet.explain(**options)` on PostgreSQL

QuerySet.explain() method was subject to SQL injection in option names, using a suitably crafted dictionary, with dictionary expansion, as the **options argument.

当前内容版权归 Django 或其关联方所有，如需对内容或内容相关联开源项目进行关注与资助，请访问 Django .

本文档使用 BookStack 构建

Django 2.2.28 release notes

Django 2.2.28 release notes

CVE-2022-28346: Potential SQL injection in QuerySet.annotate(), aggregate(), and extra()

CVE-2022-28347: Potential SQL injection via QuerySet.explain(**options) on PostgreSQL

CVE-2022-28346: Potential SQL injection in `QuerySet.annotate()`, `aggregate()`, and `extra()`

CVE-2022-28347: Potential SQL injection via `QuerySet.explain(**options)` on PostgreSQL