What is CVE-2020-7471?

CVE-2020-7471 is a vulnerability in N/a. Published 2020-02-03.

Is CVE-2020-7471 known to be exploited?

60 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in N/a

CVE-2020-7471

Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specifie…

EPSS: 0.653 (99.2th percentile) — read the EPSS interpretation.

Affected products

N/a — versions n/a

Public proof-of-concept exploits

References

groups.google.com/forum/ (x_refsource_CONFIRM)
docs.djangoproject.com/en/3.0/releases/security/ (x_refsource_CONFIRM)
www.openwall.com/lists/oss-security/2020/02/03/1 (x_refsource_CONFIRM)
www.djangoproject.com/weblog/2020/feb/03/security-releases/ (x_refsource_CONFIRM)
[oss-security] 20200203 Django 3.0.3, 2.2.10 and 1.11.28: CVE-2020-7471: Potential SQL injection via ``StringAgg(delimiter)`` (mailing-list, x_refsource_MLIST)
github.com/django/django/commit/eb31d845323618d688ad429479c6dda973056136 (x_refsource_CONFIRM)
USN-4264-1 (vendor-advisory, x_refsource_UBUNTU)
20200219 [SECURITY] [DSA 4629-1] python-django security update (mailing-list, x_refsource_BUGTRAQ)
DSA-4629 (vendor-advisory, x_refsource_DEBIAN)
security.netapp.com/advisory/ntap-20200221-0006/ (x_refsource_CONFIRM)

Frequently asked questions

What is CVE-2020-7471?: CVE-2020-7471 is a vulnerability in N/a. Published 2020-02-03.
Is CVE-2020-7471 known to be exploited?: 60 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.