SQL Injection Affecting django package, versions [3.0,3.0.3) [2.2,2.2.10) [1.11,1.11.28)
Snyk CVSS
Attack Complexity
Low
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
0.74% (81st
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-DJANGO-543998
- published 3 Feb 2020
- disclosed 3 Feb 2020
- credit Simon Charette
How to fix?
Upgrade Django
to version 3.0.3, 2.2.10, 1.11.28 or higher.
Overview
Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.
Affected versions of this package are vulnerable to SQL Injection. If untrusted data is used as a StringAgg
delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter) by passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg
instance, it is possible to break escaping and inject malicious SQL.