[ASA-202002-1] python-django: sql injection
Arch Linux Security Advisory ASA-202002-1 ========================================= Severity: Medium Date : 2020-02-03 CVE-ID : CVE-2020-7471 Package : python-django Type : sql injection Remote : Yes Link : https://security.archlinux.org/AVG-1091 Summary ======= The package python-django before version 3.0.3-1 is vulnerable to sql injection. Resolution ========== Upgrade to 3.0.3-1. # pacman -Syu "python-django>=3.0.3-1" The problem has been fixed upstream in version 3.0.3. Workaround ========== None. Description =========== django.contrib.postgres.aggregates.StringAgg aggregation function was subject to SQL injection, using a suitably crafted delimiter. Impact ====== A remote attacker is able to perform a SQL injection using a specially crafted request. References ========== https://www.djangoproject.com/weblog/2020/feb/03/security-releases/ https://security.archlinux.org/CVE-2020-7471
participants (1)
-
Morten Linderud