Recently, Django officially released a security notice that announced a potential SQL injection vulnerability (CVE-2020-7471) that was exploited via StringAgg (delimiter).
An attacker can pass the constructor delimiter to the django.contrib.postgres.aggregates.StringAgg aggregate function to bypass escapes and inject malicious SQL statements.
- Django master branch
- Django 3.0
- Django 2.2
- Django 1.11
Django has officially released a new version to fix the above vulnerabilities. The affected users update to Django’s master branch and the 3.0, 2.2, and 1.11 release branches as soon as possible
If you install Django using pip, you can do this with the following command:
$ pip install -U Django
The post CVE-2020-7471: Django SQL Injection Vulnerability Alert appeared first on InfoTech News.