CVE-2022-34265

Name of the Vulnerable Software and Affected Versions Django versions 3.2.0 through 3.2.13 Django versions 4.0.0 through 4.0.5

Description The issue is related to SQL injection in the Trunc() and Extract() database functions when untrusted data is used as a kind/lookup name value. This can allow an attacker to access or delete database data. Applications that constrain the lookup name and kind choice to a known safe list are unaffected. The vulnerability exists in the main branch and versions 4.1, 4.0, and 3.2 of Django. It is estimated that tens of thousands of website owners are affected.

Recommendations For Django versions 3.2.0 through 3.2.13, update to version 3.2.14 or later. For Django versions 4.0.0 through 4.0.5, update to version 4.0.6 or later. As a temporary workaround, consider validating and sanitizing input data for the kind and lookup name parameters before passing them to the Trunc() and Extract() functions. Restrict access to the Trunc() and Extract() functions to minimize the risk of exploitation.