Bug 1798515 (CVE-2020-7471) - CVE-2020-7471 django: potential SQL injection via StringAgg(delimiter)
Summary: CVE-2020-7471 django: potential SQL injection via StringAgg(delimiter)
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2020-7471
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1798518 1798521 1798516 1798519 1798520 1802139 1809129 1812715 1812716 1812717 1813793
Blocks: 1798517
TreeView+ depends on / blocked
 
Reported: 2020-02-05 14:31 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-12-14 18:47 UTC (History)
26 users (show)

Fixed In Version: python-django 1.11.28, python-django 2.2.10, python-django 3.0.3
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Django, where it may allow SQL injection if improperly sanitized data is used as a StringAgg delimiter. If a suitably crafted delimiter is passed to a 'contrib.postgres.aggregates.StringAgg' instance, it is possible to break escaping and inject malicious SQL. An attacker could use this flaw to cause a denial of service, information disclosure, or privilege escalation.
Clone Of:
Environment:
Last Closed: 2021-10-28 18:11:17 UTC
Embargoed:

Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2020-02-05 14:31:02 UTC 
Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL.

Reference:
https://www.openwall.com/lists/oss-security/2020/02/03/1
Comment 1 Guilherme de Almeida Suckevicz 2020-02-05 14:33:35 UTC 
Created django:1.6/python-django tracking bugs for this issue:

Affects: fedora-all [bug 1798521]


Created python-django tracking bugs for this issue:

Affects: epel-7 [bug 1798518]
Affects: epel-8 [bug 1798519]
Affects: fedora-all [bug 1798516]
Affects: openstack-rdo [bug 1798520]
Comment 2 Riccardo Schirone 2020-02-12 12:31:41 UTC 
Upstream fixes:
* https://github.com/django/django/commit/eb31d845323618d688ad429479c6dda973056136 [master branch]
* https://github.com/django/django/commit/505826b469b16ab36693360da9e11fd13213421b [3.0 branch]
* https://github.com/django/django/commit/c67a368c16e4680b324b4f385398d638db4d8147 [2.2 branch]
* https://github.com/django/django/commit/001b0634cd309e372edb6d7d95d083d02b8e37bd [1.11 branch]
Comment 5 Riccardo Schirone 2020-02-12 12:58:53 UTC 
PostgreSQL specific aggregation functions were added in python-django v1.9 (see https://docs.djangoproject.com/en/3.0/releases/1.9/).
Comment 12 Yadnyawalk Tale 2020-03-16 06:20:43 UTC 
Statement:

Even though the version of python-django as shipped in Red Hat Update Infrastructure contains the vulnerable code, the Product is not vulnerable because the vulnerable function is not used. Red Hat Update Infrastructure is based on pulp 2, which still uses MongoDB as database and not postgresql, where the flaw lies.

Although Red Hat OpenStack Platform 13, 15, & 16 contain the vulnerable code, postgresql is not a supported database hence the lowered impact.

Satellite 6 versions include vulnerable version of python-django however vulnerability is not directly exposed through code since the product does not use 'StringAgg' delimiter implementation. This issue may be get fixed in future updates.
Note You need to log in before you can comment on or make changes to this bug.