CVE-2022-28346: 
Django vulnerability analysis and mitigation

A critical SQL injection vulnerability (CVE-2022-28346) was discovered in Django versions 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. The vulnerability affects the QuerySet.annotate(), aggregate(), and extra() methods, which were susceptible to SQL injection attacks in column aliases when using a crafted dictionary with dictionary expansion as the passed **kwargs (Django Security, NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The issue specifically involves the way Django's QuerySet methods handle dictionary expansion in their kwargs parameters, allowing malicious actors to inject SQL commands through column aliases (NetApp Advisory).

Successful exploitation of this vulnerability could lead to unauthorized disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). The high severity rating indicates the potential for complete compromise of system confidentiality, integrity, and availability (NetApp Advisory).

The Django team has released security patches to address this vulnerability in versions 4.0.4, 3.2.13, and 2.2.28. Users are strongly encouraged to upgrade to these patched versions immediately. Django 2.2 users should note that version 2.2.28 was the final security release for that branch, and they are encouraged to upgrade to Django 3.2 or later (Django Security).

The vulnerability was responsibly disclosed by the Splunk team members Preston Elder, Jacob Davis, Jacob Moore, Matt Hanson, David Briggs, and security researcher Danylo Dmytriiev (DDV_UA). Multiple vendors and distributions including Debian, Fedora, and NetApp have issued security advisories and patches for their products (Django Security, Debian Security).