Preston Elder

**Name of the Vulnerable Software and Affected Versions** Django versions 2.2 before 2.2.28 Django versions 3.2 before 3.2.13 Django versions 4.0 before 4.0.4 **Description** An issue was discovered in the QuerySet.annotate(), aggregate(), and extra() methods, which are subject to SQL injection in column aliases via a crafted dictionary as the passed **kwargs. This could allow a remote attacker to impact the confidentiality, integrity, and availability of protected information. **Recommendations** For Django versions 2.2 before 2.2.28, update to version 2.2.28 or later. For Django versions 3.2 before 3.2.13, update to version 3.2.13 or later. For Django versions 4.0 before 4.0.4, update to version 4.0.4 or later. As a temporary workaround, consider restricting the use of the `QuerySet.annotate()`, `aggregate()`, and `extra()` methods until a patch is available. Avoid using crafted dictionaries as the passed `**kwargs` in these methods to minimize the risk of exploitation.