In Cyrus SASL 2.1.17 through 2.1.27 before 2.1.28, plugins/sql.c does not escape the password for a SQL INSERT or UPDATE statement.
https://lists.debian.org/debian-lts-announce/2022/03/msg00002.html
https://security.netapp.com/advisory/ntap-20221007-0003/
https://www.debian.org/security/2022/dsa-5087