CVE-2020-7471
published 2020-02-03CVE-2020-7471: Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django…
PriorityP274critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
65.34%
99.2th percentile
Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | python-django | < python-django 2:2.2.10-1 (bookworm) | python-django 2:2.2.10-1 (bookworm) |
| djangoproject | django | >= 0 < 1.11.28 | 1.11.28 |
| djangoproject | django | >= 1.11 < 1.11.28 | 1.11.28 |
| djangoproject | django | >= 2.0 < 2.2.10 | 2.2.10 |
| djangoproject | django | >= 2.2 < 2.2.10 | 2.2.10 |
| djangoproject | django | >= 3.0 < 3.0.3 | 3.0.3 |
| djangoproject | django | >= 3.0 < 3.0.3 | 3.0.3 |
Detection & IOCsextracted from sources · hover to see the quote
- →SQL injection vector is the `delimiter` parameter of `contrib.postgres.aggregates.StringAgg`; monitor or WAF-inspect application inputs that flow into this aggregation function for crafted delimiter values designed to break escaping. ↗
- →Exploitation requires a PostgreSQL backend; applications using other databases (e.g., MongoDB) are not affected — scope detection efforts to Django deployments backed by PostgreSQL. ↗
- →Potential impact includes denial of service, information disclosure, and privilege escalation via the injected SQL payload — correlate PostgreSQL query logs for anomalous StringAgg delimiter content. ↗
- ·Vulnerability only applies when untrusted/user-supplied data is passed as the StringAgg delimiter; applications that do not expose this parameter to user input are not exploitable. ↗
- ·Red Hat products using MongoDB instead of PostgreSQL are not affected despite containing the vulnerable Django code. ↗
- ·Satellite 6 includes the vulnerable Django version but does not use the StringAgg delimiter implementation, so it is not directly exposed. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Django vulnerability
vendor_ubuntu·2020-02-04
CVE-2020-7471 Django vulnerability
Title: Django vulnerability
Summary: Django could be vulnerable to SQL injection attacks.
Simon Charette discovered that Django incorrectly handled input in the
PostgreSQL module. A remote attacker could possibly use this to perform SQL
injection attacks.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
django: potential SQL injection via StringAgg(delimiter)
vendor_redhat·2020-02-03·CVSS 9.8
CVE-2020-7471 [CRITICAL] CWE-89 django: potential SQL injection via StringAgg(delimiter)
django: potential SQL injection via StringAgg(delimiter)
Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL.
A flaw was found in Django, where it may allow SQL injection if improperly sanitized data is used as a StringAgg delimiter. If a suitably crafted delimiter is passed to a 'contrib.postgres.aggregates.StringAgg' instance, it is possible to break escaping and inject malicious SQL. An attacker could use this flaw to cause a denia
Debian
CVE-2020-7471: python-django - Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL I...
vendor_debian·2020·CVSS 9.8
CVE-2020-7471 [CRITICAL] CVE-2020-7471: python-django - Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL I...
Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL.
Scope: local
bookworm: resolved (fixed in 2:2.2.10-1)
bullseye: resolved (fixed in 2:2.2.10-1)
forky: resolved (fixed in 2:2.2.10-1)
sid: resolved (fixed in 2:2.2.10-1)
trixie: resolved (fixed in 2:2.2.10-1)
OSV
SQL injection in Django
osv·2020-02-11
CVE-2020-7471 [CRITICAL] SQL injection in Django
SQL injection in Django
Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL.
GHSA
SQL injection in Django
ghsa·2020-02-11
CVE-2020-7471 [CRITICAL] CWE-89 SQL injection in Django
SQL injection in Django
Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL.
OSV
CVE-2020-7471: Django 1
osv·2020-02-03·CVSS 9.8
CVE-2020-7471 [CRITICAL] CVE-2020-7471: Django 1
Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2020-7471 python-django: django: potential SQL injection via StringAgg(delimiter) [openstack-rdo]
bugzilla·2020-02-05·CVSS 9.8
CVE-2020-7471 [CRITICAL] CVE-2020-7471 python-django: django: potential SQL injection via StringAgg(delimiter) [openstack-rdo]
CVE-2020-7471 python-django: django: potential SQL injection via StringAgg(delimiter) [openstack-rdo]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of openstack-rdo.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Although RDO
Bugzilla
CVE-2020-7471 python-django: django: potential SQL injection via StringAgg(delimiter) [epel-8]
bugzilla·2020-02-05·CVSS 9.8
CVE-2020-7471 [CRITICAL] CVE-2020-7471 python-django: django: potential SQL injection via StringAgg(delimiter) [epel-8]
CVE-2020-7471 python-django: django: potential SQL injection via StringAgg(delimiter) [epel-8]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-8.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the following template
Bugzilla
CVE-2020-7471 python-django: django: potential SQL injection via StringAgg(delimiter) [epel-7]
bugzilla·2020-02-05·CVSS 9.8
CVE-2020-7471 [CRITICAL] CVE-2020-7471 python-django: django: potential SQL injection via StringAgg(delimiter) [epel-7]
CVE-2020-7471 python-django: django: potential SQL injection via StringAgg(delimiter) [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the following template
Bugzilla
CVE-2020-7471 django:1.6/python-django: django: potential SQL injection via StringAgg(delimiter) [fedora-all]
bugzilla·2020-02-05·CVSS 9.8
CVE-2020-7471 [CRITICAL] CVE-2020-7471 django:1.6/python-django: django: potential SQL injection via StringAgg(delimiter) [fedora-all]
CVE-2020-7471 django:1.6/python-django: django: potential SQL injection via StringAgg(delimiter) [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue aff
Bugzilla
CVE-2020-7471 django: potential SQL injection via StringAgg(delimiter)
bugzilla·2020-02-05·CVSS 9.8
CVE-2020-7471 [CRITICAL] CVE-2020-7471 django: potential SQL injection via StringAgg(delimiter)
CVE-2020-7471 django: potential SQL injection via StringAgg(delimiter)
Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL.
Reference:
https://www.openwall.com/lists/oss-security/2020/02/03/1
Discussion:
Created django:1.6/python-django tracking bugs for this issue:
Affects: fedora-all [bug 1798521]
Created python-django tracking bugs for this issue:
Affects: epel-7 [bug 1798518]
Affects: epel-8 [bug 1798519]
Affects: fedora-all
Bugzilla
CVE-2020-7471 python-django: django: potential SQL injection via StringAgg(delimiter) [fedora-all]
bugzilla·2020-02-05·CVSS 9.8
CVE-2020-7471 [CRITICAL] CVE-2020-7471 python-django: django: potential SQL injection via StringAgg(delimiter) [fedora-all]
CVE-2020-7471 python-django: django: potential SQL injection via StringAgg(delimiter) [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multip
http://www.openwall.com/lists/oss-security/2020/02/03/1https://docs.djangoproject.com/en/3.0/releases/security/https://github.com/django/django/commit/eb31d845323618d688ad429479c6dda973056136https://groups.google.com/forum/#%21topic/django-announce/X45S86X5bZIhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ/https://seclists.org/bugtraq/2020/Feb/30https://security.gentoo.org/glsa/202004-17https://security.netapp.com/advisory/ntap-20200221-0006/https://usn.ubuntu.com/4264-1/https://www.debian.org/security/2020/dsa-4629https://www.djangoproject.com/weblog/2020/feb/03/security-releases/https://www.openwall.com/lists/oss-security/2020/02/03/1http://www.openwall.com/lists/oss-security/2020/02/03/1https://docs.djangoproject.com/en/3.0/releases/security/https://github.com/django/django/commit/eb31d845323618d688ad429479c6dda973056136https://groups.google.com/forum/#%21topic/django-announce/X45S86X5bZIhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ/https://seclists.org/bugtraq/2020/Feb/30https://security.gentoo.org/glsa/202004-17https://security.netapp.com/advisory/ntap-20200221-0006/https://usn.ubuntu.com/4264-1/https://www.debian.org/security/2020/dsa-4629https://www.djangoproject.com/weblog/2020/feb/03/security-releases/https://www.openwall.com/lists/oss-security/2020/02/03/1
2020-02-03
Published