SQL Injection in Django Trunc() and Extract() Database Functions

SQL Injection in Django Trunc() and Extract() Database Functions

CVE-2022-34265 · CRITICAL Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.

Learn more about our Cis Benchmark Audit For Microsoft Sql Server.