Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk:High] django SQL Injection (due by 05/13/2022) #5161

Closed
1 task
cnlucas opened this issue Apr 13, 2022 · 1 comment · Fixed by #5184
Closed
1 task

[Snyk:High] django SQL Injection (due by 05/13/2022) #5161

cnlucas opened this issue Apr 13, 2022 · 1 comment · Fixed by #5184
Assignees
@cnlucas
Labels
Security: general General security concern or issue Security: high Remediate within 30 days
Milestone
PI 17 innovation

Comments

@cnlucas
Copy link
Member

cnlucas commented Apr 13, 2022
edited
Loading

Summary

Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.
Affected versions of this package are vulnerable to SQL Injection in QuerySet.annotate(), aggregate(), and extra() methods, in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods.
Affected versions of this package are vulnerable to SQL Injection via QuerySet.explain(**options) in option names, using a suitably crafted dictionary, with dictionary expansion, as the **options argument on PostgreSQL.
https://app.snyk.io/org/fecgov/project/ff0dca01-794e-4c1c-bf1f-0c0f8932fadd/#issue-SNYK-PYTHON-DJANGO-2606969
https://app.snyk.io/org/fecgov/project/ff0dca01-794e-4c1c-bf1f-0c0f8932fadd/#issue-SNYK-PYTHON-DJANGO-2606966

Remediation: Pin django to version 2.2.28 or 3.2.13 or 4.0.4

Technical considerations

  • It would be easiest to pin Django to 3.2.13, as we are currently on 3.1.14

Related issues

Completion criteria

  • Verify that this is indeed a vulnerability for us and either complete the remediation or document, close the ticket and snooze the Snyk alert.
@cnlucas cnlucas added Security: high Remediate within 30 days Security: general General security concern or issue labels Apr 13, 2022
@cnlucas cnlucas added this to the PI 17 innovation milestone Apr 13, 2022
This was referenced Apr 13, 2022
Closed
Closed
Closed
@cnlucas cnlucas mentioned this issue Apr 20, 2022
Closed
@patphongs patphongs assigned patphongs and cnlucas and unassigned patphongs Apr 20, 2022
@patphongs
Copy link
Member

Thanks @cnlucas for taking this off my hands! 🎉

This was referenced Apr 26, 2022
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cnlucas cnlucas

Labels
Security: general General security concern or issue Security: high Remediate within 30 days
Projects
None yet
Milestone
PI 17 innovation
Development

Successfully merging a pull request may close this issue.

5161-Update django 3.2.13 fecgov/fec-cms
2 participants
@patphongs @cnlucas