CVE-2020-7471: SQL injection in Django
9.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.92015%
CWE
Published
2/11/2020
Updated
9/20/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
django | pip | < 1.11.28 | 1.11.28 |
Django | pip | >= 2.0, < 2.2.10 | 2.2.10 |
Django | pip | >= 3.0, < 3.0.3 | 3.0.3 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from how StringAgg handled the 'delimiter' parameter. The original implementation used string formatting to insert the delimiter directly into the SQL template ('%(delimiter)s'), making it vulnerable to SQL injection. The patch changed this by wrapping the delimiter in a Value() expression, forcing proper SQL parameterization. The commit diff clearly shows the vulnerable pattern in the template and the fix in the init method, aligning with the CVE description of delimiter-based SQL injection.