Miggo Logo

CVE-2020-7471: SQL injection in Django

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.92015%
Published
2/11/2020
Updated
9/20/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
djangopip< 1.11.281.11.28
Djangopip>= 2.0, < 2.2.102.2.10
Djangopip>= 3.0, < 3.0.33.0.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from how StringAgg handled the 'delimiter' parameter. The original implementation used string formatting to insert the delimiter directly into the SQL template ('%(delimiter)s'), making it vulnerable to SQL injection. The patch changed this by wrapping the delimiter in a Value() expression, forcing proper SQL parameterization. The commit diff clearly shows the vulnerable pattern in the template and the fix in the init method, aligning with the CVE description of delimiter-based SQL injection.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*j*n*o *.** ***or* *.**.**, *.* ***or* *.*.**, *n* *.* ***or* *.*.* *llows SQL Inj**tion i* untrust** **t* is us** *s * Strin**** **limit*r (*.*., in *j*n*o *ppli**tions t**t o***r *ownlo**s o* **t* *s * s*ri*s o* rows wit* * us*r-sp**i*i** *olumn **

Reasoning

T** vuln*r**ility st*ms *rom *ow Strin**** **n*l** t** '**limit*r' p*r*m*t*r. T** ori*in*l impl*m*nt*tion us** strin* *orm*ttin* to ins*rt t** **limit*r *ir**tly into t** SQL t*mpl*t* ('%(**limit*r)s'), m*kin* it vuln*r**l* to SQL inj**tion. T** p*t*