Django Extract and Trunc functions vulnerable to SQL injection


Django provided by Django Software Foundation is a Web application framework. Extract and Trunc functions of Django used to treat date data contain an SQL injection vulnerability(CWE-89).

Takuto Yoshikai of Aeye Security Lab reported this vulnerability to the developer and coordinated. After coordination was completed, this case was reported to IPA, and JPCERT/CC coordinated with the developer for the publication under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 7.3 (High) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low
CVSS V2 Severity:
Base Metrics 7.5 (High) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
Affected Products

Django Software Foundation
  • Django main development branch
  • Django 4.1 (currently at beta status)
  • Django 4.0
  • Django 3.2


An attacker may execute an arbitrary SQL command. Data in websites built using the product may be altered or deleted by an attacker.

[Update the software]
Update the software to the latest version according to the information provided by the developer.
Vendor Information

Django Software Foundation
CWE (What is CWE?)

  1. SQL Injection(CWE-89) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2022-34265

  1. JVN : JVN#12610194
Revision History

  • [2022/07/12]
      Web page was published