GitHub reports a security vulnerability found in requirement.txt of config repo.
1 django vulnerability found in …/sysinv/requirements.txt
Remediation
Upgrade django to version 2.2.10 or later. For example:
django>=2.2.10
Always verify the validity and compatibility of suggestions with your codebase.
Details
CVE-2020-7471
moderate severity
Vulnerable versions: >= 2.0.0, < 2.2.10
Patched version: 2.2.10
Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL.
From Al Bailey:
StarlingX ships with python2-
This vulnerability warning is for Django 1.11 before 1.11.28 allows SQL Injection
So this issue applies to us.
However, we are currently locked based on the “stein” upper constraints which is 1.11.20
https:/
Train locks to 1.11.24, but that would also have his CVE violation
https:/