CVE-2020-7471

Description

Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL.

How to fix CVE-2020-7471

To remediate CVE-2020-7471, upgrade the affected package to a fixed version below.

• —upgrade to 1.11.28-r0 or later
• —upgrade to 1.11.28-r0 or later
• —upgrade to 1.11.28 or later
• —upgrade to 1:1.10.7-2+deb9u8 or later
• —upgrade to 2:2.2.10-1 or later
• —upgrade to 1.11.28 or later
• —upgrade to eb31d845323618d688ad429479c6dda973056136 or later

Is CVE-2020-7471 being exploited?

Moderate — EPSS is 15.4%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (7)

• from 0, < 1.11.28-r0
• from 0, < 1.11.28-r0
• >= 1.11.0, < 1.11.28, >= 2.2.0, < 2.2.10, >= 3.0.0, < 3.0.3
• from 0, < 1:1.10.7-2+deb9u8
• from 0, < 2:2.2.10-1
• from 0, < 1.11.28
• from 0, < eb31d845323618d688ad429479c6dda973056136 | >= 1.11, < 1.11.28, >= 2.2, < 2.2.10, >= 3.0, < 3.0.3

CVSS scores

References (28)

• ADVISORYgithub.com/advisories/GHSA-hmr4-m2h5-33qx
• ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-7471
• ADVISORYsecurity.alpinelinux.org/vuln/CVE-2020-7471
• ADVISORYsecurity.netapp.com/advisory/ntap-20200221-0006/
• ADVISORY