CVE-2021-30459

Description

A SQL Injection issue in the SQL Panel in Jazzband Django Debug Toolbar before 1.11.1, 2.x before 2.2.1, and 3.x before 3.2.1 allows attackers to execute SQL statements by changing the raw_sql input field of the SQL explain, analyze, or select form.

Related CPE's

ajazzbanddjango_debug_toolbar********
vulnerable
ajazzbanddjango_debug_toolbar********
vulnerable
ajazzbanddjango_debug_toolbar********
vulnerable

References

https://github.com/jazzband/django-debug-toolbar/security/advisories/GHSA-pghf-347x-c2gj

PatchThird Party Advisory

https://www.djangoproject.com/weblog/2021/apr/14/debug-toolbar-security-releases/

Vendor Advisory

https://github.com/jazzband/django-debug-toolbar/releases

Third Party Advisory

CvssV3 impact

BaseSeverity

CRITICAL

ConfidentialityImpact

HIGH

AttackComplexity

LOW

Scope

UNCHANGED

AttackVector

NETWORK

AvailabilityImpact

HIGH

IntegrityImpact

HIGH

PrivilegesRequired

NONE

BaseScore

9.8

VectorString

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Version

3.1

UserInteraction

NONE

CvssV2 impact

AccessComplexity

LOW

ConfidentialityImpact

PARTIAL

AvailabilityImpact

PARTIAL

IntegrityImpact

PARTIAL

BaseScore

7.5

VectorString

AV:N/AC:L/Au:N/C:P/I:P/A:P

Version

2.0

AccessVector

NETWORK

Authentication

NONE