An attacker can pass the constructor delimiter to the django.contrib.postgres.aggregates.StringAgg aggregate function to bypass escapes and inject malicious SQL statements.
- Django master branch
- Django 3.0
- Django 2.2
- Django 1.11
Django has officially released a new version to fix the above vulnerabilities. The affected users update to Django’s master branch and the 3.0, 2.2, and 1.11 release branches as soon as possible
If you install Django using pip, you can do this with the following command:
$ pip install -U Django