Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXBnaGYtMzQ3eC1jMmdq
SQL Injection via in django-debug-toolbar
Impact
With Django Debug Toolbar attackers are able to execute SQL by changing the raw_sql input of the SQL explain, analyze or select forms and submitting the form.
NOTE: This is a high severity issue for anyone using the toolbar in a production environment.
Generally the Django Debug Toolbar team only maintains the latest version of django-debug-toolbar, but an exception was made because of the high severity of this issue.
Patches
Please upgrade to one of the following versions, depending on the major version you're using:
- Version 1.x: django-debug-toolbar 1.11.1
- Version 2.x: django-debug-toolbar 2.2.1
- Version 3.x: django-debug-toolbar 3.2.1
For more information
If you have any questions or comments about this advisory:
- Open an issue in the django-debug-toolbar repo (Please NO SENSITIVE INFORMATION, send an email instead!)
- Email us at [email protected]
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXBnaGYtMzQ3eC1jMmdq
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: 8 months ago
Identifiers: GHSA-pghf-347x-c2gj, CVE-2021-30459
References:
- https://github.com/jazzband/django-debug-toolbar/security/advisories/GHSA-pghf-347x-c2gj
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30459
- https://www.djangoproject.com/weblog/2021/apr/14/debug-toolbar-security-releases/
- https://nvd.nist.gov/vuln/detail/CVE-2021-30459
- https://github.com/jazzband/django-debug-toolbar/releases
- https://github.com/advisories/GHSA-pghf-347x-c2gj
Affected Packages
pypi:django-debug-toolbar
Versions: >= 2.0.0, < 2.2.1, >= 0.10.0, < 1.11.1, >= 3.0.0, < 3.2.1Fixed in: 2.2.1, 1.11.1, 3.2.1