CVE-2020-7471: Django SQL Injection Vulnerability Alert

Recently, Django officially released a security notice that announced a potential SQL injection vulnerability (CVE-2020-7471) that was exploited via StringAgg (delimiter).

An attacker can pass the constructor delimiter to the django.contrib.postgres.aggregates.StringAgg aggregate function to bypass escapes and inject malicious SQL statements.

Django Web framework

Affected version

  • Django master branch
  • Django 3.0
  • Django 2.2
  • Django 1.11

Solution

Django has officially released a new version to fix the above vulnerabilities. The affected users update to Django’s master branch and the 3.0, 2.2, and 1.11 release branches as soon as possible
If you install Django using pip, you can do this with the following command:

$ pip install -U Django