A high-severity vulnerability existed in the open-source Django Debug Toolbar. Exploiting this vulnerability could let an adversary mount SQL injection attacks. The developers have deployed the fixes for the latest as well as previous toolbar releases.
Django Debug Toolbar SQL Vulnerability
Reportedly, a high-severity SQL vulnerability existed in the Django Debug toolbar. Django is an open-source Python-based web framework facilitating the development of complex database-driven websites.
According to the details shared via an advisory, the bug allowed the attackers to modify raw_sql input of SQL forms. As stated,
With Django Debug Toolbar attackers are able to execute SQL by changing the raw_sql input of the SQL explain, analyze or select forms and submitting the form.
This vulnerability affected all existing and previous releases of the tool. Precisely, the affected versions include Django Debug Toolbar main branch, version 3.2, 2.2, and 1.11.
Patch Available For Previous Versions Too
Upon detecting this bug, the developers rushed to come up with a fix for it. While they usually address vulnerabilities in the latest releases only. However, given the severity of this vulnerability, they released fixes for the previous releases as well.
Generally, the Django Debug Toolbar team only maintains the latest version of django-debug-toolbar, but an exception was made because of the high severity of this issue.
Fixed SQL Injection vulnerability, CVE-2021-30459. The toolbar now calculates a signature on all fields for the SQL select, explain, and analyze forms.
Since the fixed releases are now available, and that the flaw bears serious potential consequences, all Django Debug Toolbar users should ensure upgrading to the latest patched versions at the earliest.