Django Debug Toolbar security releases issued: 3.2.1, 2.2.1 and 1.11.1.
Django Debug Toolbar security releases issued: 3.2.1, 2.2.1 and 1.11.1
In accordance with the security release policies that Django and Jazzband are following, the Jazzband project team for the Django Debug Toolbar project is issuing Django Debug Toolbar 3.2.1, Django Debug Toolbar 2.2.1 and Django Debug Toolbar 1.11.1. These releases address the security issue with severity "high" detailed below. We encourage all users of Django Debug Toolbar to upgrade as soon as possible.
CVE-2021-30459 - SQL Injection via Select, Explain and Analyze forms of the SQLPanel for Django Debug Toolbar >= 0.10.0
With Django Debug Toolbar 0.10.0 and above, attackers are able to execute SQL by changing the raw_sql input of the SQL explain, analyze or select forms and submitting the form.
This is a high severity issue for anyone using the toolbar in a production environment.
Generally the Django Debug Toolbar team only maintains the latest version of django-debug-toolbar, but an exception was made because of the high severity of this issue.
The GitHub Security Advisory can be found here:
https://github.com/jazzband/django-debug-toolbar/security/advisories/GHSA-pghf-347x-c2gj
Affected supported versions
- Django Debug Toolbar main branch
- Django Debug Toolbar 3.2
- Django Debug Toolbar 2.2
- Django Debug Toolbar 1.11
Resolution
Patches to resolve the issue have been applied to Django Debug Toolbar's main branch (for the 3.2 release) and the 2.2 and 1.11 release branches. The patches may be obtained from the following changesets:
- On the main branch
- On the 2.2 release branch
- On the 1.11 release branch
The following releases have been issued:
General notes regarding security reporting
Since this security release is for the 3rd party Django app Django Debug Toolbar, we ask to send potential security issues via private email to security@jazzband.co, and not to Django's regular security email address, nor Django's Trac instance or the django-developers list.