PublicDateAtUSN: 2020-02-03 10:00:00 UTC
Candidate: CVE-2020-7471
CRD: 2020-02-03 10:00:00 UTC
PublicDate: 2020-02-03 12:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7471
 https://www.openwall.com/lists/oss-security/2020/02/03/1
 https://ubuntu.com/security/notices/USN-4264-1
Description:
 Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows
 SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in
 Django applications that offer downloads of data as a series of rows with a
 user-specified column delimiter). By passing a suitably crafted delimiter
 to a contrib.postgres.aggregates.StringAgg instance, it was possible to
 break escaping and inject malicious SQL.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by: Simon Charette
Assigned-to: amurray
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]


Patches_python-django:
 upstream: https://github.com/django/django/commit/eb31d845323618d688ad429479c6dda973056136 (master)
 upstream: https://github.com/django/django/commit/505826b469b16ab36693360da9e11fd13213421b (3.0)
 upstream: https://github.com/django/django/commit/c67a368c16e4680b324b4f385398d638db4d8147 (2.2)
 upstream: https://github.com/django/django/commit/001b0634cd309e372edb6d7d95d083d02b8e37bd (1.1)
upstream_python-django: released (2.2.10)
precise/esm_python-django: DNE
trusty_python-django: ignored (out of standard support)
trusty/esm_python-django: not-affected (code not present)
xenial_python-django: not-affected (code not present)
esm-infra/xenial_python-django: not-affected (code not present)
bionic_python-django: released (1:1.11.11-1ubuntu1.7)
eoan_python-django: released (1:1.11.22-1ubuntu1.2)
devel_python-django: not-affected (2:2.2.10-1)