7.5
CVSSv2

CVE-2020-7471

Published: 03/02/2020 Updated: 06/02/2020
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Summary

Django 1.11 prior to 1.11.28, 2.2 prior to 2.2.10, and 3.0 prior to 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL.

Vulnerability Trend

Affected Products

Vendor Product Versions
DjangoprojectDjango1.11, 1.11.1, 1.11.2, 1.11.3, 1.11.4, 1.11.5, 1.11.6, 1.11.7, 1.11.8, 1.11.9, 1.11.10, 1.11.11, 1.11.12, 1.11.13, 1.11.14, 1.11.15, 1.11.16, 1.11.17, 1.11.18, 1.11.19, 1.11.20, 1.11.21, 1.11.22, 1.11.23, 1.11.24, 1.11.25, 1.11.26, 1.11.27, 2.2, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.2.8, 2.2.9, 3.0, 3.0.1, 3.0.2

Vendor Advisories

Debian Bug report logs - #950581 python-django: CVE-2020-7471: Potential SQL injection via StringAgg(delimiter) Package: src:python-django; Maintainer for src:python-django is Debian Python Modules Team <python-modules-team@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Mon, 3 F ...
Django could be vulnerable to SQL injection attacks ...
Simon Charette discovered that Django, a high-level Python web development framework, did not properly handle input in its PostgreSQL module A remote attacker could leverage this to perform SQL injection attacks For the oldstable distribution (stretch), this problem has been fixed in version 1:1107-2+deb9u8 For the stable distribution (buster) ...
Arch Linux Security Advisory ASA-202002-1 ========================================= Severity: Medium Date : 2020-02-03 CVE-ID : CVE-2020-7471 Package : python-django Type : sql injection Remote : Yes Link : securityarchlinuxorg/AVG-1091 Summary ======= The package python-django before version 303-1 is vulnerable to sql inj ...
djangocontribpostgresaggregatesStringAgg aggregation function was subject to SQL injection, using a suitably crafted delimiter ...

Mailing Lists

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4629-1 security () debian org wwwdebianorg/security/ Sebastien Delafond February 19, 2020 wwwdebianorg/security/faq ...
wwwdjangoprojectcom/weblog/2020/feb/03/security-releases/ <wwwdjangoprojectcom/weblog/2020/feb/03/security-releases/> In accordance with `our security release policy <docsdjangoprojectcom/en/dev/internals/security/>`_, the Django team is issuing `Django 303 <docsdjangoprojectcom/en/dev/rel ...

Github Repositories

CVE-2020-7471 Potential SQL injection via StringAgg(delimiter)