Source: python-django Version: 2:2.2.9-2 Severity: grave Tags: security upstream Justification: user security hole Control: found -1 1:1.11.27-1~deb10u1
Hi, The following vulnerability was published for python-django. CVE-2020-7471[0]: | Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 | allows SQL Injection if untrusted data is used as a StringAgg | delimiter (e.g., in Django applications that offer downloads of data | as a series of rows with a user-specified column delimiter). By | passing a suitably crafted delimiter to a | contrib.postgres.aggregates.StringAgg instance, it was possible to | break escaping and inject malicious SQL. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-7471 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7471 [1] https://www.djangoproject.com/weblog/2020/feb/03/security-releases/ Please adjust the affected versions in the BTS as needed. Regards, Salvatore
