SQL Injection via in django-debug-toolbar

2021-04-1619:53:28

Google

osv.dev

0.002 Low

EPSS

Percentile

56.6%

JSON

Impact

With Django Debug Toolbar attackers are able to execute SQL by changing the raw_sql input of the SQL explain, analyze or select forms and submitting the form.

NOTE: This is a high severity issue for anyone using the toolbar in aproduction environment.

Generally the Django Debug Toolbar team only maintains the latest version of django-debug-toolbar, but an exception was made because of the high severity of this issue.

Patches

Please upgrade to one of the following versions, depending on the major version you’re using:

Version 1.x: django-debug-toolbar 1.11.1
Version 2.x: django-debug-toolbar 2.2.1
Version 3.x: django-debug-toolbar 3.2.1

For more information

If you have any questions or comments about this advisory:

Open an issue in the django-debug-toolbar repo (Please NO SENSITIVE INFORMATION, send an email instead!)
Email us at [email protected]

CPENameOperatorVersion
django-debug-toolbareq1.5
django-debug-toolbareq1.9
django-debug-toolbareq1.6
django-debug-toolbareq3.2
django-debug-toolbareq1.2
django-debug-toolbareq0.10.0
django-debug-toolbareq3.1.1
django-debug-toolbareq1.10.1
django-debug-toolbareq2.2
django-debug-toolbareq2.0

Name	Operator	Version
django-debug-toolbar	eq	1.5
django-debug-toolbar	eq	1.9
django-debug-toolbar	eq	1.6
django-debug-toolbar	eq	3.2
django-debug-toolbar	eq	1.2
django-debug-toolbar	eq	0.10.0
django-debug-toolbar	eq	3.1.1
django-debug-toolbar	eq	1.10.1
django-debug-toolbar	eq	2.2
django-debug-toolbar	eq	2.0