{"id":"CVE-2020-7471","details":"Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL.","aliases":["BIT-django-2020-7471","GHSA-hmr4-m2h5-33qx","PYSEC-2020-35"],"modified":"2026-03-20T11:37:43.073049Z","published":"2020-02-03T12:15:26.993Z","related":["SUSE-RU-2020:2161-1","SUSE-SU-2020:3309-1","openSUSE-SU-2024:11205-1","openSUSE-SU-2024:13887-1","openSUSE-SU-2024:14208-1","openSUSE-SU-2026:10005-1"],"references":[{"type":"WEB","url":"https://usn.ubuntu.com/4264-1/"},{"type":"WEB","url":"https://groups.google.com/forum/#%21topic/django-announce/X45S86X5bZI"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ/"},{"type":"WEB","url":"https://seclists.org/bugtraq/2020/Feb/30"},{"type":"ADVISORY","url":"https://docs.djangoproject.com/en/3.0/releases/security/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2020/dsa-4629"},{"type":"ADVISORY","url":"https://www.djangoproject.com/weblog/2020/feb/03/security-releases/"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2020/02/03/1"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202004-17"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20200221-0006/"},{"type":"ADVISORY","url":"https://www.openwall.com/lists/oss-security/2020/02/03/1"},{"type":"FIX","url":"https://github.com/django/django/commit/eb31d845323618d688ad429479c6dda973056136"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/django/django","events":[{"introduced":"c669cf279ae7b3e02a61db4fb077030a4db80e4f"},{"fixed":"e09f09b965ef47ffd99abd2c26ba7416751cffa6"},{"introduced":"2a62cdcfec85938f40abb2e9e6a9ff497e02afe8"},{"fixed":"b2c33a57b3b98f1e90bbc2a2be2c5a6d814eed29"},{"introduced":"2a04e24d2dfc8e60a66e4369d970913cb2112d91"},{"fixed":"c459a4661b2e96b53d3784c76e1fd5651b8cdc4a"},{"fixed":"eb31d845323618d688ad429479c6dda973056136"}],"database_specific":{"versions":[{"introduced":"1.11"},{"fixed":"1.11.28"},{"introduced":"2.2"},{"fixed":"2.2.10"},{"introduced":"3.0"},{"fixed":"3.0.3"}]}}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-7471.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}