django.contrib.postgres.aggregates.StringAgg aggregation function was subject to SQL injection, using a suitably crafted delimiter Reproducible: Didn't try
Resolution ========== Patches to resolve the issue have been applied to Django's master branch and the 3.0, 2.2, and 1.11 release branches. The patches may be obtained from the following changesets: * On the `master branch <https://github.com/django/django/commit/eb31d845323618d688ad429479c6dda973056136>`__ * On the `3.0 release branch <https://github.com/django/django/commit/505826b469b16ab36693360da9e11fd13213421b>`__ * On the `2.2 release branch <https://github.com/django/django/commit/c67a368c16e4680b324b4f385398d638db4d8147>`__ * On the `1.11 release branch <https://github.com/django/django/commit/001b0634cd309e372edb6d7d95d083d02b8e37bd>`__ The following releases have been issued: * Django 3.0.3 (`download Django 3.0.3 <https://www.djangoproject.com/m/releases/3.0/Django-3.0.3.tar.gz>`_ | `3.0.3 checksums <https://www.djangoproject.com/m/pgp/Django-3.0.3.checksum.txt>`_) * Django 2.2.10 (`download Django 2.2.10 <https://www.djangoproject.com/m/releases/2.2/Django-2.2.10.tar.gz>`_ | `2.2.10 checksums <https://www.djangoproject.com/m/pgp/Django-2.2.10.checksum.txt>`_) * Django 1.11.28 (`download Django 1.11.28 <https://www.djangoproject.com/m/releases/1.11/Django-1.11.28.tar.gz>`_ | `1.11.28 checksums <https://www.djangoproject.com/m/pgp/Django-1.11.28.checksum.txt>`_)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6d0858ec7469d1327e9fad71108a9a637469851e commit 6d0858ec7469d1327e9fad71108a9a637469851e Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2020-03-06 14:13:35 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2020-03-06 14:38:30 +0000 dev-python/django: Remove vulnerable (drop to ~arch) Bug: https://bugs.gentoo.org/692384 Bug: https://bugs.gentoo.org/701744 Bug: https://bugs.gentoo.org/706204 Bug: https://bugs.gentoo.org/707998 Bug: https://bugs.gentoo.org/711522 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-python/django/Manifest | 4 -- dev-python/django/django-2.1.8.ebuild | 88 --------------------------------- dev-python/django/django-2.1.9.ebuild | 88 --------------------------------- dev-python/django/django-2.2.1.ebuild | 91 ----------------------------------- dev-python/django/django-2.2.2.ebuild | 91 ----------------------------------- 5 files changed, 362 deletions(-)
CVE-2020-7471 (https://nvd.nist.gov/vuln/detail/CVE-2020-7471): Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL.
Added to an existing GLSA Request. Arches and Maintainer(s), Thank you for your work.
This issue was resolved and addressed in GLSA 202004-17 at https://security.gentoo.org/glsa/202004-17 by GLSA coordinator Thomas Deutschmann (whissi).
