PYSEC-2020-35

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/django/PYSEC-2020-35.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2020-35

Aliases

Published

2020-02-03T12:15:00Z

Modified

2023-12-06T00:45:37.460166Z

Summary

[none]

Details

Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL.

References

Affected packages

PyPI / django

Package

Name: django; View open source insights on deps.dev
Purl: pkg:pypi/django

Affected ranges

Type: GIT
Repo: https://github.com/django/django
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

eb31d845323618d688ad429479c6dda973056136

Type: ECOSYSTEM
Events: Introduced

1.11

Fixed

1.11.28

Introduced

2.2

Fixed

2.2.10

Introduced

3.0

Fixed

3.0.3

Affected versions

1.*

1.11

1.11.1

1.11.2

1.11.3

1.11.4

1.11.5

1.11.6

1.11.7

1.11.8

1.11.9

1.11.10

1.11.11

1.11.12

1.11.13

1.11.14

1.11.15

1.11.16

1.11.17

1.11.18

1.11.20

1.11.21

1.11.22

1.11.23

1.11.24

1.11.25

1.11.26

1.11.27

2.*

2.2

2.2.1

2.2.2

2.2.3

2.2.4

2.2.5

2.2.6

2.2.7

2.2.8

2.2.9

3.*

3.0

3.0.1

3.0.2