| Summary: | CVE-2020-7471 django: potential SQL injection via StringAgg(delimiter) | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED WONTFIX | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | apevec, bbuckingham, bcourt, bkearney, btotty, hhudgeon, hvyas, jal233, jjoyce, jschluet, lhh, lpeer, lzap, mburns, mhroncok, michel, mmccune, mrunge, rchan, rjerrido, sclewis, sgallagh, sisharma, slavek.kabrda, slinaber, sokeeffe |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | python-django 1.11.28, python-django 2.2.10, python-django 3.0.3 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in Django, where it may allow SQL injection if improperly sanitized data is used as a StringAgg delimiter. If a suitably crafted delimiter is passed to a 'contrib.postgres.aggregates.StringAgg' instance, it is possible to break escaping and inject malicious SQL. An attacker could use this flaw to cause a denial of service, information disclosure, or privilege escalation.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-10-28 18:11:17 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Bug Depends On: | 1798518, 1798521, 1798516, 1798519, 1798520, 1802139, 1809129, 1812715, 1812716, 1812717, 1813793 | ||
| Bug Blocks: | 1798517 | ||
|
Description
Guilherme de Almeida Suckevicz
2020-02-05 14:31:02 UTC
Created django:1.6/python-django tracking bugs for this issue: Affects: fedora-all [bug 1798521] Created python-django tracking bugs for this issue: Affects: epel-7 [bug 1798518] Affects: epel-8 [bug 1798519] Affects: fedora-all [bug 1798516] Affects: openstack-rdo [bug 1798520] Upstream fixes: * https://github.com/django/django/commit/eb31d845323618d688ad429479c6dda973056136 [master branch] * https://github.com/django/django/commit/505826b469b16ab36693360da9e11fd13213421b [3.0 branch] * https://github.com/django/django/commit/c67a368c16e4680b324b4f385398d638db4d8147 [2.2 branch] * https://github.com/django/django/commit/001b0634cd309e372edb6d7d95d083d02b8e37bd [1.11 branch] PostgreSQL specific aggregation functions were added in python-django v1.9 (see https://docs.djangoproject.com/en/3.0/releases/1.9/). Statement: Even though the version of python-django as shipped in Red Hat Update Infrastructure contains the vulnerable code, the Product is not vulnerable because the vulnerable function is not used. Red Hat Update Infrastructure is based on pulp 2, which still uses MongoDB as database and not postgresql, where the flaw lies. Although Red Hat OpenStack Platform 13, 15, & 16 contain the vulnerable code, postgresql is not a supported database hence the lowered impact. Satellite 6 versions include vulnerable version of python-django however vulnerability is not directly exposed through code since the product does not use 'StringAgg' delimiter implementation. This issue may be get fixed in future updates. |