CVE-2020-7471: 
Django vulnerability analysis and mitigation

CVE-2020-7471 affects Django versions 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3. The vulnerability was discovered by Simon Charette and disclosed on February 3, 2020. The issue allows SQL injection if untrusted data is used as a StringAgg delimiter in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter (Django Security, Ubuntu Security).

The vulnerability exists in the django.contrib.postgres.aggregates.StringAgg aggregation function, which was subject to SQL injection when using a suitably crafted delimiter. By passing a maliciously crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL. The vulnerability has been assigned a CVSS v3.1 score of 9.8 (CRITICAL) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NetApp Advisory).

Successful exploitation of this vulnerability could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). A remote attacker could potentially leverage this vulnerability to perform SQL injection attacks and manipulate the database (Debian Security, NetApp Advisory).

The vulnerability has been fixed in Django versions 1.11.28, 2.2.10, and 3.0.3. Users are strongly encouraged to upgrade to these patched versions. The fixes involve properly escaping the StringAgg delimiter parameter. Patches have been applied to Django's master branch and the respective release branches (Django Security).