Corrective releases of the Django 4.0.6 and 3.2.14 web framework have been published, fixing a vulnerability (CVE-2022-34265) that could potentially allow custom SQL substitution. The issue affects applications that use unvalidated external data in the kind and lookup_name parameters passed to the Trunc(kind) and Extract(lookup_name) functions. Programs that allow only verified data in the lookup_name and kind values ββare not affected by the vulnerability.
The problem was blocked by prohibiting the use of characters other than letters, numbers, "-", "_", "(" and ")" in the arguments of the Extract and Trunc functions. Previously, single quotes were not cut out in the transmitted values, which made it possible to execute their SQL constructs by passing values ββof the form βday' FROM start_datetime)) OR 1=1;ββ and βyear', start_datetime)) OR 1=1;ββ. In the next 4.1 release, it is planned to further strengthen the protection of methods for extracting and truncating dates, but the changes made to the API will lead to a violation of compatibility with third-party backends for working with the database.
Source: opennet.ru