diff options
Diffstat (limited to 'docs/releases/2.2.28.txt')
-rw-r--r-- | docs/releases/2.2.28.txt | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/docs/releases/2.2.28.txt b/docs/releases/2.2.28.txt index 0669e2d599..a894bddb3c 100644 --- a/docs/releases/2.2.28.txt +++ b/docs/releases/2.2.28.txt @@ -5,3 +5,11 @@ Django 2.2.28 release notes *April 11, 2022* Django 2.2.28 fixes two security issues with severity "high" in 2.2.27. + +CVE-2022-28346: Potential SQL injection in ``QuerySet.annotate()``, ``aggregate()``, and ``extra()`` +==================================================================================================== + +:meth:`.QuerySet.annotate`, :meth:`~.QuerySet.aggregate`, and +:meth:`~.QuerySet.extra` methods were subject to SQL injection in column +aliases, using a suitably crafted dictionary, with dictionary expansion, as the +``**kwargs`` passed to these methods. |