Bug 1798515 (CVE-2020-7471)

Summary: CVE-2020-7471 django: potential SQL injection via StringAgg(delimiter)
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: apevec, bbuckingham, bcourt, bkearney, btotty, hhudgeon, hvyas, jal233, jjoyce, jschluet, lhh, lpeer, lzap, mburns, mhroncok, michel, mmccune, mrunge, rchan, rjerrido, sclewis, sgallagh, sisharma, slavek.kabrda, slinaber, sokeeffe
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: python-django 1.11.28, python-django 2.2.10, python-django 3.0.3 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Django, where it may allow SQL injection if improperly sanitized data is used as a StringAgg delimiter. If a suitably crafted delimiter is passed to a 'contrib.postgres.aggregates.StringAgg' instance, it is possible to break escaping and inject malicious SQL. An attacker could use this flaw to cause a denial of service, information disclosure, or privilege escalation.
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-28 18:11:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1798518, 1798521, 1798516, 1798519, 1798520, 1802139, 1809129, 1812715, 1812716, 1812717, 1813793    
Bug Blocks: 1798517    

Description Guilherme de Almeida Suckevicz 2020-02-05 14:31:02 UTC
Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL.


Comment 1 Guilherme de Almeida Suckevicz 2020-02-05 14:33:35 UTC
Created django:1.6/python-django tracking bugs for this issue:

Affects: fedora-all [bug 1798521]

Created python-django tracking bugs for this issue:

Affects: epel-7 [bug 1798518]
Affects: epel-8 [bug 1798519]
Affects: fedora-all [bug 1798516]
Affects: openstack-rdo [bug 1798520]

Comment 5 Riccardo Schirone 2020-02-12 12:58:53 UTC
PostgreSQL specific aggregation functions were added in python-django v1.9 (see https://docs.djangoproject.com/en/3.0/releases/1.9/).

Comment 12 Yadnyawalk Tale 2020-03-16 06:20:43 UTC

Even though the version of python-django as shipped in Red Hat Update Infrastructure contains the vulnerable code, the Product is not vulnerable because the vulnerable function is not used. Red Hat Update Infrastructure is based on pulp 2, which still uses MongoDB as database and not postgresql, where the flaw lies.

Although Red Hat OpenStack Platform 13, 15, & 16 contain the vulnerable code, postgresql is not a supported database hence the lowered impact.

Satellite 6 versions include vulnerable version of python-django however vulnerability is not directly exposed through code since the product does not use 'StringAgg' delimiter implementation. This issue may be get fixed in future updates.