Django SQL Injection Vulnerability in FilteredRelation Column Aliases

A SQL injection vulnerability has been identified in Django versions 4.2 prior to 4.2.24, 5.1 prior to 5.1.12, and 5.2 prior to 5.2.6. The issue arises in the FilteredRelation component, where column aliases can be manipulated through a crafted dictionary passed as keyword arguments to QuerySet.annotate() or QuerySet.alias(). This vulnerability allows for unauthorized SQL code execution, potentially leading to data exposure or modification.

Impact

Exploitation of this vulnerability allows for SQL injection attacks, where an attacker can manipulate database queries. This could lead to unauthorized data access, data modification, or in some cases, executing arbitrary code on the server.

Reproduction

To reproduce this vulnerability, create a Django project and use a database that supports SQL injection, such as PostgreSQL or MySQL. In a view or a model manager, use the QuerySet.annotate() or QuerySet.alias() methods with a FilteredRelation. Pass a dictionary that includes a crafted SQL injection payload in the column alias. When the query is executed, the injected SQL will be executed by the database, demonstrating the vulnerability.

Remediation

Users can upgrade to Django 5.2.6, 5.1.12, or 4.2.24 to address this vulnerability.