FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Django -- potential SQL injection vulnerability

Affected packages
py27-django111 < 1.11.28
py35-django111 < 1.11.28
py36-django111 < 1.11.28
py37-django111 < 1.11.28
py38-django111 < 1.11.28
py35-django22 < 2.2.10
py36-django22 < 2.2.10
py37-django22 < 2.2.10
py38-django22 < 2.2.10
py36-django30 < 3.0.3
py37-django30 < 3.0.3
py38-django30 < 3.0.3

Details

VuXML ID 5a45649a-4777-11ea-bdec-08002728f74c
Discovery 2020-02-03
Entry 2020-02-04

MITRE CVE reports:

Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL.

References

CVE Name CVE-2020-7471
URL https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7471
URL https://docs.djangoproject.com/en/1.11/releases/1.11.28/
URL https://docs.djangoproject.com/en/2.2/releases/2.2.10/
URL https://docs.djangoproject.com/en/3.0/releases/3.0.3/