==================================================================== CERT-Renater Note d'Information No. 2021/VULN222 _____________________________________________________________________ DATE : 15/04/2021 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Django Debug Toolbar versions prior to 3.2.1, 2.2.1, 1.11.1. ===================================================================== https://www.djangoproject.com/weblog/2021/apr/14/debug-toolbar-security-releases/ https://github.com/jazzband/django-debug-toolbar/security/advisories/GHSA-pghf-347x-c2gj _____________________________________________________________________ Django Debug Toolbar security releases issued: 3.2.1, 2.2.1 and 1.11.1. Posted by Jannis Leidel on avril 14, 2021 In accordance with the security release policies that Django and Jazzband are following, the Jazzband project team for the Django Debug Toolbar project is issuing Django Debug Toolbar 3.2.1, Django Debug Toolbar 2.2.1 and Django Debug Toolbar 1.11.1. These releases address the security issue with severity "high" detailed below. We encourage all users of Django Debug Toolbar to upgrade as soon as possible. CVE-2021-30459 - SQL Injection via Select, Explain and Analyze forms of the SQLPanel for Django Debug Toolbar >= 0.10.0 With Django Debug Toolbar 0.10.0 and above, attackers are able to execute SQL by changing the raw_sql input of the SQL explain, analyze or select forms and submitting the form. This is a high severity issue for anyone using the toolbar in a production environment. Generally the Django Debug Toolbar team only maintains the latest version of django-debug-toolbar, but an exception was made because of the high severity of this issue. The GitHub Security Advisory can be found here: https://github.com/jazzband/django-debug-toolbar/security/advisories/GHSA-pghf-347x-c2gj Affected supported versions Django Debug Toolbar main branch Django Debug Toolbar 3.2 Django Debug Toolbar 2.2 Django Debug Toolbar 1.11 Resolution Patches to resolve the issue have been applied to Django Debug Toolbar's main branch (for the 3.2 release) and the 2.2 and 1.11 release branches. The patches may be obtained from the following changesets: On the main branch On the 2.2 release branch On the 1.11 release branch The following releases have been issued: Django Debug Toolbar 3.2.1 Django Debug Toolbar 2.2.1 Django Debug Toolbar 1.11.1 General notes regarding security reporting Since this security release is for the 3rd party Django app Django Debug Toolbar, we ask to send potential security issues via private email to security@jazzband.co, and not to Django's regular security email address, nor Django's Trac instance or the django-developers list. _____________________________________________________________________ SQL Injection via Select, Explain and Analyze forms of the SQLPanel for Django Debug Toolbar >= 0.10.0 high jezdez published GHSA-pghf-347x-c2gj Apr 14, 2021 Package django-debug-toolbar (pip) Affected versions >= 0.10.0 Patched versions 1.11.1, 2.2.1, 3.2.1 Description Impact With Django Debug Toolbar 0.10.0 and above, attackers are able to execute SQL by changing the raw_sql input of the SQL explain, analyze or select forms and submitting the form. NOTE: This is a high severity issue for anyone using the toolbar in a production environment. Generally the Django Debug Toolbar team only maintains the latest version of django-debug-toolbar, but an exception was made because of the high severity of this issue. Patches Please upgrade to one of the following versions, depending on the major version you're using: Version 1.x: django-debug-toolbar 1.11.1 Version 2.x: django-debug-toolbar 2.2.1 Version 3.x: django-debug-toolbar 3.2.1 References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30459 https://www.djangoproject.com/weblog/2021/apr/14/debug-toolbar-security-releases/ For more information If you have any questions or comments about this advisory: Open an issue in the django-debug-toolbar repo (Please NO SENSITIVE INFORMATION, send an email instead!) Email us at security@jazzband.co ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================