CVE-2025-13372

描述

An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. `FilteredRelation` is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet.annotate()` or `QuerySet.alias()` on PostgreSQL. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Stackered for reporting this issue.

受影響套件(5)

• Bitnami/django>= 4.2.0, < 4.2.27, >= 5.1.0, < 5.1.15, >= 5.2.0, < 5.2.9
• Debian/python-djangofrom 0, < 3:3.2.25-0+deb12u1
• Debian/python-djangofrom 0, < 3:4.2.27-0+deb13u1
• PyPI/django>= 5.2a1, < 5.2.9
• PyPI/django>= 4.2, < 4.2.27, >= 5.1, < 5.1.15, >= 5.2, < 5.2.9

CVSS 分數

參考連結(13)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-13372
• ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2025-13372
• PATCHhttps://docs.djangoproject.com/en/dev/releases/security/
• PATCHhttps://github.com/django/django
• PATCHhttps://www.djangoproject.com/weblog/2025/dec/02/security-releases/
• WEBhttps://docs.djangoproject.com/en/dev/releases/security
• WEBhttps://github.com/django/django/commit/479415ce5249bcdebeb6570c72df2a87f45a7bbf
• WEBhttps://github.com/django/django/commit/56aea00c3c5e1aacf4ed05f8ee06c2e78f02cea0
• WEBhttps://github.com/django/django/commit/5b90ca1e7591fa36fccf2d6dad67cf1477e6293e
• WEBhttps://github.com/django/django/commit/9c6a5bde24240382807d13bc3748d08444709355
• WEBhttps://github.com/django/django/commit/f997037b235f6b5c9e7c4a501491ec45f3400f3d
• WEBhttps://groups.google.com/g/django-announce
• WEBhttps://www.djangoproject.com/weblog/2025/dec/02/security-releases