Django SQL Injection Vulnerability in QuerySet Methods on MySQL and MariaDB

A SQL injection vulnerability has been identified in Django versions 4.2 prior to 4.2.25, 5.1 prior to 5.1.13, and 5.2 prior to 5.2.7. The issue arises in the QuerySet methods annotate(), alias(), aggregate(), and extra(), when a crafted dictionary is used with dictionary expansion as keyword arguments. This vulnerability allows attackers to manipulate column aliases, leading to SQL injection on MySQL and MariaDB databases.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate SQL queries executed by the application. This could lead to unauthorized data access, data manipulation, or in some cases, executing arbitrary code through database features.

Reproduction

To reproduce this vulnerability, create a Django application that uses a MySQL or MariaDB database. In a view or model method, call a QuerySet method such as annotate(), alias(), aggregate(), or extra() and pass a dictionary with crafted values as keyword arguments. The dictionary should be structured to manipulate the SQL query in a way that exploits the vulnerability, such as injecting malicious SQL code into the column alias.

Remediation

Users can upgrade to Django versions 4.2.25, 5.1.13, or 5.2.7, where this vulnerability has been patched.