CVE-2022-28347: 
Django vulnerability analysis and mitigation

A SQL injection vulnerability (CVE-2022-28347) was discovered in Django's QuerySet.explain() method affecting versions 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. The vulnerability was disclosed on April 11, 2022. The issue occurs when passing a crafted dictionary with dictionary expansion as the **options argument, allowing an attacker to place an injection payload in an option name (Django Security, NVD).

The vulnerability exists in the QuerySet.explain() method specifically when used with PostgreSQL. It allows SQL injection through option names when using dictionary expansion with the **options argument. The severity of this vulnerability is rated as CRITICAL with a CVSS v3.1 Base Score of 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The vulnerability is classified as CWE-89: Improper Neutralization of Special Elements used in an SQL Command (NVD).

The successful exploitation of this vulnerability could lead to unauthorized access to or modification of database data, potentially exposing sensitive information or allowing manipulation of the database content. Given the CVSS score of 9.8, this vulnerability could result in a complete compromise of system confidentiality, integrity, and availability (NVD).

The vulnerability has been patched in Django versions 2.2.28, 3.2.13, and 4.0.4. Users are strongly encouraged to upgrade to these or later versions. The fixes have been applied to Django's main branch and the respective release branches. For Django 2.2 users, it's recommended to upgrade to Django 3.2 or later as version 2.2 has reached the end of extended support (Django Security).

The Django team classified this vulnerability as 'high' severity according to their security policy. The vulnerability was discovered and reported by Mariusz Felisiak, demonstrating the active security research within the Django community (Django Security).