An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.
{ "availability": "No subscription required", "ubuntu_priority": "medium", "binaries": [ { "binary_version": "1:1.11.11-1ubuntu1.18", "binary_name": "python-django" }, { "binary_version": "1:1.11.11-1ubuntu1.18", "binary_name": "python-django-common" }, { "binary_version": "1:1.11.11-1ubuntu1.18", "binary_name": "python-django-doc" }, { "binary_version": "1:1.11.11-1ubuntu1.18", "binary_name": "python3-django" } ] }