SQL injection in Django
Critical severity
GitHub Reviewed
Published
Feb 11, 2020
to the GitHub Advisory Database
•
Updated Aug 23, 2023
Package
Affected versions
< 1.11.28
>= 2.0.0, < 2.2.10
>= 3.0.0, < 3.0.3
Patched versions
1.11.28
2.2.10
3.0.3
Description
Reviewed
Feb 5, 2020
Published to the GitHub Advisory Database
Feb 11, 2020
Last updated
Aug 23, 2023
Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL.
References