Django Debug Toolbar tripped up by SQL injection flaw

Developers have fixed a serious web security flaw in a debug toolbar for the popular Django framework.

The CVE-2021-30459 vulnerability in the open source Django Debug Toolbar arises because it was possible for attackers to change the raw_sql input of the SQL ‘explain’, ‘analyze’, or ‘select’ forms supported by the tool.

Doctored forms made possible by the security loophole create a mechanism to mount SQL injection attacks.

As an advisory posted by GitHub explains, multiple versions of the toolbar are affected.

Users who use the Django Debug Toolbar – particularly in production environments where the potential for attack is higher are advised to update to 1.11.1, 2.2.1, or 3.2.1 (patched versions of the software).

“Generally, the Django Debug Toolbar team only maintains the latest version of django-debug-toolbar, but an exception was made because of the high severity of this issue,” the advisory explains.

The Daily Swig asked the plugin’s maintainers to offer additional comment on the software update. We’ll update this story as and when more information comes to hand.

Django is a Python-based open source web framework.

Source: https://portswigger.net/daily-swig/django-debug-toolbar-tripped-up-by-sql-injection-flaw