CVE-2022-34265: 
Django vulnerability analysis and mitigation

A high-severity SQL injection vulnerability (CVE-2022-34265) was discovered in Django versions 3.2 before 3.2.14 and 4.0 before 4.0.6. The vulnerability affects the Trunc() and Extract() database functions when untrusted data is used as a kind/lookup_name value. The issue was discovered and disclosed on July 4, 2022 (Django Security).

The vulnerability exists in the Trunc() and Extract() database functions of Django, where SQL injection is possible if untrusted data is used as a kind/lookup_name value. The issue received a CVSS score of 9.8 (CRITICAL) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NetApp Security).

Successful exploitation of this vulnerability could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). Applications that constrain the lookup name and kind choice to a known safe list are unaffected (Django Security, NetApp Security).

The issue has been fixed in Django versions 4.0.6 and 3.2.14. Users are strongly encouraged to upgrade to these patched versions as soon as possible. The fixes have been applied to Django's main branch and to the 4.1, 4.0, and 3.2 release branches (Django Security).

The Django team classified this vulnerability as 'high' severity according to their security policy. The discovery was credited to Takuto Yoshikai from Aeye Security Lab (Django Security).