Skip to content

SQL injection in Django

Critical severity GitHub Reviewed Published Feb 11, 2020 to the GitHub Advisory Database • Updated Aug 23, 2023

Package

pip django (pip)

Affected versions

< 1.11.28
>= 2.0.0, < 2.2.10
>= 3.0.0, < 3.0.3

Patched versions

1.11.28
2.2.10
3.0.3

Description

Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL.

References

Reviewed Feb 5, 2020
Published to the GitHub Advisory Database Feb 11, 2020
Last updated Aug 23, 2023

Severity

Critical
9.8
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses

CVE ID

CVE-2020-7471

GHSA ID

GHSA-hmr4-m2h5-33qx

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.