Impact
With Django Debug Toolbar 0.10.0 and above, attackers are able to execute SQL by changing the raw_sql input of the SQL explain, analyze or select forms and submitting the form.
NOTE: This is a high severity issue for anyone using the toolbar in a production environment.
Generally the Django Debug Toolbar team only maintains the latest version of django-debug-toolbar, but an exception was made because of the high severity of this issue.
Patches
Please upgrade to one of the following versions, depending on the major version you're using:
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30459
https://www.djangoproject.com/weblog/2021/apr/14/debug-toolbar-security-releases/
For more information
If you have any questions or comments about this advisory:
Impact
With Django Debug Toolbar 0.10.0 and above, attackers are able to execute SQL by changing the
raw_sqlinput of the SQL explain, analyze or select forms and submitting the form.NOTE: This is a high severity issue for anyone using the toolbar in a production environment.
Generally the Django Debug Toolbar team only maintains the latest version of django-debug-toolbar, but an exception was made because of the high severity of this issue.
Patches
Please upgrade to one of the following versions, depending on the major version you're using:
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30459
https://www.djangoproject.com/weblog/2021/apr/14/debug-toolbar-security-releases/
For more information
If you have any questions or comments about this advisory: