Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXBnaGYtMzQ3eC1jMmdq

SQL Injection via in django-debug-toolbar

Impact

With Django Debug Toolbar attackers are able to execute SQL by changing the raw_sql input of the SQL explain, analyze or select forms and submitting the form.

NOTE: This is a high severity issue for anyone using the toolbar in a production environment.

Generally the Django Debug Toolbar team only maintains the latest version of django-debug-toolbar, but an exception was made because of the high severity of this issue.

Patches

Please upgrade to one of the following versions, depending on the major version you're using:

For more information

If you have any questions or comments about this advisory:

Permalink: https://github.com/advisories/GHSA-pghf-347x-c2gj
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXBnaGYtMzQ3eC1jMmdq
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 3 years ago
Updated: over 1 year ago


Identifiers: GHSA-pghf-347x-c2gj, CVE-2021-30459
References: Repository: https://github.com/jazzband/django-debug-toolbar
Blast Radius: 0.0

Affected Packages

pypi:django-debug-toolbar
Dependent packages: 85
Dependent repositories: 29,665
Downloads: 2,615,991 last month
Affected Version Ranges: >= 2.0.0, < 2.2.1, >= 0.10.0, < 1.11.1, >= 3.0.0, < 3.2.1
Fixed in: 2.2.1, 1.11.1, 3.2.1
All affected versions: 0.10.0, 0.10.1, 0.10.2, 0.11.0, 1.0.1, 1.2.1, 1.2.2, 1.3.0, 1.3.1, 1.3.2, 1.9.1, 1.10.1, 3.1.1
All unaffected versions: 0.7.0, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.8.5, 0.9.1, 0.9.2, 0.9.3, 0.9.4, 1.11.1, 2.2.1, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.3.0, 3.4.0, 3.5.0, 3.6.0, 3.7.0, 3.8.1, 4.0.0, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.4.5, 4.4.6