Vulnerability Details : CVE-2020-7471
Potential exploit
Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL.
Vulnerability category: Sql Injection
Products affected by CVE-2020-7471
- cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-7471
8.68%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 92 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-7471
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2020-7471
-
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-7471
-
https://security.gentoo.org/glsa/202004-17
Django: Multiple vulnerabilities (GLSA 202004-17) — Gentoo security
-
https://www.debian.org/security/2020/dsa-4629
Debian -- Security Information -- DSA-4629-1 python-django
-
https://security.netapp.com/advisory/ntap-20200221-0006/
CVE-2020-7471 Django Vulnerability in NetApp Products | NetApp Product Security
-
https://github.com/django/django/commit/eb31d845323618d688ad429479c6dda973056136
Fixed CVE-2020-7471 -- Properly escaped StringAgg(delimiter) parameter. · django/django@eb31d84 · GitHubPatch;Third Party Advisory
-
https://groups.google.com/forum/#!topic/django-announce/X45S86X5bZI
Google GroepenMailing List;Third Party Advisory
-
https://docs.djangoproject.com/en/3.0/releases/security/
Archive of security issues | Django documentation | DjangoVendor Advisory
-
https://usn.ubuntu.com/4264-1/
USN-4264-1: Django vulnerability | Ubuntu security notices
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ/
[SECURITY] Fedora 32 Update: python-django-3.0.7-1.fc32 - package-announce - Fedora Mailing-Lists
-
https://seclists.org/bugtraq/2020/Feb/30
Bugtraq: [SECURITY] [DSA 4629-1] python-django security update
-
http://www.openwall.com/lists/oss-security/2020/02/03/1
oss-security - Django 3.0.3, 2.2.10 and 1.11.28: CVE-2020-7471: Potential SQL injection via ``StringAgg(delimiter)``Mailing List;Third Party Advisory
-
https://www.openwall.com/lists/oss-security/2020/02/03/1
oss-security - Django 3.0.3, 2.2.10 and 1.11.28: CVE-2020-7471: Potential SQL injection via ``StringAgg(delimiter)``Mailing List;Third Party Advisory
-
https://www.djangoproject.com/weblog/2020/feb/03/security-releases/
Django security releases issued: 3.0.3, 2.2.10, and 1.11.28 | Weblog | DjangoVendor Advisory
Jump to