CVE-2020-7471

CVE-2020-7471

Name

CVE-2020-7471

Description

Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL.

NVD Severity

high

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
Mailing List	https://www.openwall.com/lists/oss-security/2020/02/03/1
Vendor Advisory	https://docs.djangoproject.com/en/3.0/releases/security/
Mailing List	https://groups.google.com/forum/#!topic/django-announce/X45S86X5bZI
Vendor Advisory	https://www.djangoproject.com/weblog/2020/feb/03/security-releases/
Mailing List	http://www.openwall.com/lists/oss-security/2020/02/03/1
Patch	https://github.com/django/django/commit/eb31d845323618d688ad429479c6dda973056136
UBUNTU	https://usn.ubuntu.com/4264-1/
BUGTRAQ	https://seclists.org/bugtraq/2020/Feb/30
DEBIAN	https://www.debian.org/security/2020/dsa-4629
CONFIRM	https://security.netapp.com/advisory/ntap-20200221-0006/
GENTOO	https://security.gentoo.org/glsa/202004-17
FEDORA	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ/

Type

URI

Mailing List

https://www.openwall.com/lists/oss-security/2020/02/03/1

Vendor Advisory

https://docs.djangoproject.com/en/3.0/releases/security/

Mailing List

https://groups.google.com/forum/#!topic/django-announce/X45S86X5bZI

Vendor Advisory

https://www.djangoproject.com/weblog/2020/feb/03/security-releases/

Mailing List

http://www.openwall.com/lists/oss-security/2020/02/03/1

Patch

https://github.com/django/django/commit/eb31d845323618d688ad429479c6dda973056136

UBUNTU

https://usn.ubuntu.com/4264-1/

BUGTRAQ

https://seclists.org/bugtraq/2020/Feb/30

DEBIAN

https://www.debian.org/security/2020/dsa-4629

CONFIRM

https://security.netapp.com/advisory/ntap-20200221-0006/

GENTOO

https://security.gentoo.org/glsa/202004-17

FEDORA

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ/

Match rules

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:djangoproject:django::::::::`	django	>= 1.11	< 1.11.28
`cpe:2.3:a:djangoproject:django::::::::`	django	>= 2.2	< 2.2.10
`cpe:2.3:a:djangoproject:django::::::::`	django	>= 3.0	< 3.0.3

CPE URI

Source package

Min version

Max version

cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*

django

>= 1.11

< 1.11.28

cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*

django

>= 2.2

< 2.2.10

cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*

django

>= 3.0

< 3.0.3

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
py-django	3.10-main	1.11.28-r0	None	fixed
py3-django	edge-community	1.11.28-r0	None	fixed
py3-django	3.22-community	1.11.28-r0	None	fixed
py3-django	3.21-community	1.11.28-r0	None	fixed
py3-django	3.20-community	1.11.28-r0	None	fixed
py3-django	3.19-community	1.11.28-r0	None	fixed
py3-django	3.18-community	1.11.28-r0	None	fixed
py3-django	3.17-community	1.11.28-r0	None	fixed
py3-django	3.12-main	1.11.28-r0	None	fixed
py3-django	3.11-main	1.11.28-r0	None	fixed

Source package

Branch

Version

Maintainer

Status

py-django

3.10-main

1.11.28-r0

None

fixed

py3-django

edge-community