VDB

CVE-2020-7471

CVE-2020-7471 PUBLISHED

Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL.

EPSS 15.37% · 94.8th percentile

Risk Scores

EPSS Score
15.37%
94.8th percentile

Affected Products

VendorProductVersions
Bitnamidjango2.2.0, 3.0.0, 1.11.0
Bitnamidjango1.11.0, 2.2.0, 3.0.0

Timeline

  • Feb 3, 2020 CVE Published
  • Apr 14, 2021 EPSS Score
  • Aug 24, 2021 EPSS Score
  • Oct 26, 2021 EPSS Score
  • Feb 4, 2022 EPSS Score
  • Feb 28, 2022 EPSS Score
  • Jul 3, 2022 EPSS Score
  • Nov 6, 2022 EPSS Score
  • Jan 8, 2023 EPSS Score
  • Mar 11, 2023 EPSS Score
  • May 13, 2023 EPSS Score
  • Sep 15, 2023 EPSS Score
Open in Interactive Console →
$ Console Community · 100/wk Open console ›