SQL Injection via in django-debug-toolbar

Impact

With Django Debug Toolbar attackers are able to execute SQL by changing the raw_sql input of the SQL explain, analyze or select forms and submitting the form.

NOTE: This is a high severity issue for anyone using the toolbar in a production environment.

Generally the Django Debug Toolbar team only maintains the latest version of django-debug-toolbar, but an exception was made because of the high severity of this issue.

Patches

Please upgrade to one of the following versions, depending on the major version you're using:

Version 1.x: django-debug-toolbar 1.11.1
Version 2.x: django-debug-toolbar 2.2.1
Version 3.x: django-debug-toolbar 3.2.1

For more information

If you have any questions or comments about this advisory:

Open an issue in the django-debug-toolbar repo (Please NO SENSITIVE INFORMATION, send an email instead!)
Email us at security@jazzband.co

References

jezdez published to jazzband/django-debug-toolbar Apr 14, 2021

Published by the National Vulnerability Database Apr 14, 2021

Reviewed Apr 14, 2021

Published to the GitHub Advisory Database Apr 16, 2021

Last updated Feb 1, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Package

Affected versions

Patched versions

Description

Impact

Patches

For more information

References

Severity

Weaknesses

CVE ID

GHSA ID

Source code

Credits