{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-06-19T02:06:18", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://groups.google.com/forum/#%21topic/django-announce/X45S86X5bZI"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://docs.djangoproject.com/en/3.0/releases/security/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.openwall.com/lists/oss-security/2020/02/03/1"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.djangoproject.com/weblog/2020/feb/03/security-releases/"}, {"name": "[oss-security] 20200203 Django 3.0.3, 2.2.10 and 1.11.28: CVE-2020-7471: Potential SQL injection via ``StringAgg(delimiter)``", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2020/02/03/1"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/django/django/commit/eb31d845323618d688ad429479c6dda973056136"}, {"name": "USN-4264-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/4264-1/"}, {"name": "20200219 [SECURITY] [DSA 4629-1] python-django security update", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "https://seclists.org/bugtraq/2020/Feb/30"}, {"name": "DSA-4629", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2020/dsa-4629"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20200221-0006/"}, {"name": "GLSA-202004-17", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202004-17"}, {"name": "FEDORA-2020-c2639662af", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-7471", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://groups.google.com/forum/#!topic/django-announce/X45S86X5bZI", "refsource": "CONFIRM", "url": "https://groups.google.com/forum/#!topic/django-announce/X45S86X5bZI"}, {"name": "https://docs.djangoproject.com/en/3.0/releases/security/", "refsource": "CONFIRM", "url": "https://docs.djangoproject.com/en/3.0/releases/security/"}, {"name": "https://www.openwall.com/lists/oss-security/2020/02/03/1", "refsource": "CONFIRM", "url": "https://www.openwall.com/lists/oss-security/2020/02/03/1"}, {"name": "https://www.djangoproject.com/weblog/2020/feb/03/security-releases/", "refsource": "CONFIRM", "url": "https://www.djangoproject.com/weblog/2020/feb/03/security-releases/"}, {"name": "[oss-security] 20200203 Django 3.0.3, 2.2.10 and 1.11.28: CVE-2020-7471: Potential SQL injection via ``StringAgg(delimiter)``", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2020/02/03/1"}, {"name": "https://github.com/django/django/commit/eb31d845323618d688ad429479c6dda973056136", "refsource": "CONFIRM", "url": "https://github.com/django/django/commit/eb31d845323618d688ad429479c6dda973056136"}, {"name": "USN-4264-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4264-1/"}, {"name": "20200219 [SECURITY] [DSA 4629-1] python-django security update", "refsource": "BUGTRAQ", "url": "https://seclists.org/bugtraq/2020/Feb/30"}, {"name": "DSA-4629", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2020/dsa-4629"}, {"name": "https://security.netapp.com/advisory/ntap-20200221-0006/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20200221-0006/"}, {"name": "GLSA-202004-17", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202004-17"}, {"name": "FEDORA-2020-c2639662af", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T09:33:19.635Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://groups.google.com/forum/#%21topic/django-announce/X45S86X5bZI"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://docs.djangoproject.com/en/3.0/releases/security/"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.openwall.com/lists/oss-security/2020/02/03/1"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.djangoproject.com/weblog/2020/feb/03/security-releases/"}, {"name": "[oss-security] 20200203 Django 3.0.3, 2.2.10 and 1.11.28: CVE-2020-7471: Potential SQL injection via ``StringAgg(delimiter)``", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2020/02/03/1"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/django/django/commit/eb31d845323618d688ad429479c6dda973056136"}, {"name": "USN-4264-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "https://usn.ubuntu.com/4264-1/"}, {"name": "20200219 [SECURITY] [DSA 4629-1] python-django security update", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "https://seclists.org/bugtraq/2020/Feb/30"}, {"name": "DSA-4629", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2020/dsa-4629"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20200221-0006/"}, {"name": "GLSA-202004-17", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/202004-17"}, {"name": "FEDORA-2020-c2639662af", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ/"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-7471", "datePublished": "2020-02-03T11:59:20", "dateReserved": "2020-01-21T00:00:00", "dateUpdated": "2024-08-04T09:33:19.635Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "matchCriteriaId": "00FE8079-CAF7-494D-BC2A-0B964A883EA6", "versionEndExcluding": "1.11.28", "versionStartIncluding": "1.11", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "matchCriteriaId": "4771CEA7-2ECE-4620-98E0-D5F1AA91889C", "versionEndExcluding": "2.2.10", "versionStartIncluding": "2.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*", "matchCriteriaId": "BC272D38-BBBC-4440-A120-C2D60CC42A12", "versionEndExcluding": "3.0.3", "versionStartIncluding": "3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL."}, {"lang": "es", "value": "Django versiones 1.11 anteriores a 1.11.28, versiones 2.2 anteriores a 2.2.10 y versiones 3.0 anteriores a 3.0.3, permite una Inyecci\u00f3n SQL si se usan datos no confiables como un delimitador de StringAgg (por ejemplo, en aplicaciones Django que ofrecen descargas de datos como una serie de filas con un delimitador de columna especificado por el usuario). Al pasar un delimitador apropiadamente dise\u00f1ado a una instancia contrib.postgres.aggregates.StringAgg, fue posible romper el escape e inyectar SQL malicioso."}], "id": "CVE-2020-7471", "lastModified": "2023-11-07T03:26:06.483", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-02-03T12:15:26.993", "references": [{"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2020/02/03/1"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://docs.djangoproject.com/en/3.0/releases/security/"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/django/django/commit/eb31d845323618d688ad429479c6dda973056136"}, {"source": "cve@mitre.org", "url": "https://groups.google.com/forum/#%21topic/django-announce/X45S86X5bZI"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ/"}, {"source": "cve@mitre.org", "url": "https://seclists.org/bugtraq/2020/Feb/30"}, {"source": "cve@mitre.org", "url": "https://security.gentoo.org/glsa/202004-17"}, {"source": "cve@mitre.org", "url": "https://security.netapp.com/advisory/ntap-20200221-0006/"}, {"source": "cve@mitre.org", "url": "https://usn.ubuntu.com/4264-1/"}, {"source": "cve@mitre.org", "url": "https://www.debian.org/security/2020/dsa-4629"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.djangoproject.com/weblog/2020/feb/03/security-releases/"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://www.openwall.com/lists/oss-security/2020/02/03/1"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "django: potential SQL injection via StringAgg(delimiter)", "id": "1798515", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1798515"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-89", "details": ["Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL.", "A flaw was found in Django, where it may allow SQL injection if improperly sanitized data is used as a StringAgg delimiter. If a suitably crafted delimiter is passed to a 'contrib.postgres.aggregates.StringAgg' instance, it is possible to break escaping and inject malicious SQL. An attacker could use this flaw to cause a denial of service, information disclosure, or privilege escalation."], "name": "CVE-2020-7471", "package_state": [{"cpe": "cpe:/a:redhat:ceph_storage:2", "fix_state": "Out of support scope", "package_name": "python-django", "product_name": "Red Hat Ceph Storage 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Not affected", "package_name": "python-django", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:certifications:1::el7", "fix_state": "Not affected", "package_name": "python-django", "product_name": "Red Hat Certification for Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/a:redhat:openstack:10", "fix_state": "Out of support scope", "package_name": "python-django", "product_name": "Red Hat OpenStack Platform 10 (Newton)"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Will not fix", "impact": "low", "package_name": "python-django", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:openstack:15", "fix_state": "Will not fix", "impact": "low", "package_name": "python-django", "product_name": "Red Hat OpenStack Platform 15 (Stein)"}, {"cpe": "cpe:/a:redhat:openstack:16", "fix_state": "Will not fix", "impact": "low", "package_name": "python-django", "product_name": "Red Hat OpenStack Platform 16 (Train)"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Will not fix", "impact": "low", "package_name": "python-django", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Affected", "impact": "low", "package_name": "python-django", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:rhui:3", "fix_state": "Will not fix", "impact": "low", "package_name": "python-django", "product_name": "Red Hat Update Infrastructure 3 for Cloud Providers"}], "public_date": "2020-02-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-7471\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-7471"], "statement": "Even though the version of python-django as shipped in Red Hat Update Infrastructure contains the vulnerable code, the Product is not vulnerable because the vulnerable function is not used. Red Hat Update Infrastructure is based on pulp 2, which still uses MongoDB as database and not postgresql, where the flaw lies.\nAlthough Red Hat OpenStack Platform 13, 15, & 16 contain the vulnerable code, postgresql is not a supported database hence the lowered impact.\nSatellite 6 versions include vulnerable version of python-django however vulnerability is not directly exposed through code since the product does not use 'StringAgg' delimiter implementation. This issue may be get fixed in future updates.\nRed Hat Update Infrastructure 3 is in Maintenance Support phase and product only fixing Critical or Important impact flaws. Please refer lifecycle page for more details: https://access.redhat.com/support/policy/updates/rhui", "threat_severity": "Important", "upstream_fix": "python-django 1.11.28, python-django 2.2.10, python-django 3.0.3"}