Django SQL Injection Vulnerability in QuerySet and Q Objects via _connector Argument

A SQL injection vulnerability has been identified in Django versions 5.1 prior to 5.1.14, 4.2 prior to 4.2.26, and 5.2 prior to 5.2.8. The issue arises in the QuerySet methods filter(), exclude(), and get(), as well as the Q() class, when a crafted dictionary with dictionary expansion is used as the _connector argument. This vulnerability allows for malicious SQL injection, potentially compromising the application's database interactions.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate SQL queries executed by the application. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, create a QuerySet and use the filter(), exclude(), or get() methods. Pass a dictionary as the _connector argument, ensuring that the dictionary is crafted to include malicious SQL injection payloads. The vulnerability can also be reproduced by using the Q() class with a similar dictionary payload.

Remediation

Users can upgrade to Django versions 5.1.14, 5.2.8, or 4.2.26 to address this vulnerability.