CVE-2021-30459: SQL Injection via in django-debug-toolbar
(updated )
With Django Debug Toolbar attackers are able to execute SQL by changing the raw_sql input of the SQL explain, analyze or select forms and submitting the form.
NOTE: This is a high severity issue for anyone using the toolbar in a production environment.
Generally the Django Debug Toolbar team only maintains the latest version of django-debug-toolbar, but an exception was made because of the high severity of this issue.
References
- cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30459
- github.com/advisories/GHSA-pghf-347x-c2gj
- github.com/jazzband/django-debug-toolbar
- github.com/jazzband/django-debug-toolbar/releases
- github.com/jazzband/django-debug-toolbar/security/advisories/GHSA-pghf-347x-c2gj
- github.com/pypa/advisory-database/tree/main/vulns/django-debug-toolbar/PYSEC-2021-10.yaml
- nvd.nist.gov/vuln/detail/CVE-2021-30459
- www.djangoproject.com/weblog/2021/apr/14/debug-toolbar-security-releases
Detect and mitigate CVE-2021-30459 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →