Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL. Reference: https://www.openwall.com/lists/oss-security/2020/02/03/1
Created django:1.6/python-django tracking bugs for this issue: Affects: fedora-all [bug 1798521] Created python-django tracking bugs for this issue: Affects: epel-7 [bug 1798518] Affects: epel-8 [bug 1798519] Affects: fedora-all [bug 1798516] Affects: openstack-rdo [bug 1798520]
Upstream fixes: * https://github.com/django/django/commit/eb31d845323618d688ad429479c6dda973056136 [master branch] * https://github.com/django/django/commit/505826b469b16ab36693360da9e11fd13213421b [3.0 branch] * https://github.com/django/django/commit/c67a368c16e4680b324b4f385398d638db4d8147 [2.2 branch] * https://github.com/django/django/commit/001b0634cd309e372edb6d7d95d083d02b8e37bd [1.11 branch]
PostgreSQL specific aggregation functions were added in python-django v1.9 (see https://docs.djangoproject.com/en/3.0/releases/1.9/).
Statement: Even though the version of python-django as shipped in Red Hat Update Infrastructure contains the vulnerable code, the Product is not vulnerable because the vulnerable function is not used. Red Hat Update Infrastructure is based on pulp 2, which still uses MongoDB as database and not postgresql, where the flaw lies. Although Red Hat OpenStack Platform 13, 15, & 16 contain the vulnerable code, postgresql is not a supported database hence the lowered impact. Satellite 6 versions include vulnerable version of python-django however vulnerability is not directly exposed through code since the product does not use 'StringAgg' delimiter implementation. This issue may be get fixed in future updates.