Vulnerability CVE-2020-9402: Information
Description
Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.
Severity: HIGH (8.8) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Fixed packages
Package name | Branch | Fixed in version | Version from repository | Errata ID | Task # | State |
---|---|---|---|---|---|---|
python-module-django | p9 | 1.11.29-alt2 | 1.11.29-alt2 | ALT-PU-2021-1636-1 | 266900 | Fixed |
References to Advisories, Solutions, and Tools
Hyperlink | Resource |
---|---|
https://www.djangoproject.com/weblog/2020/mar/04/security-releases/ |
|
https://docs.djangoproject.com/en/3.0/releases/security/ |
|
USN-4296-1 |
|
https://security.netapp.com/advisory/ntap-20200327-0004/ |
|
GLSA-202004-17 |
|
DSA-4705 |
|
[debian-lts-announce] 20220526 [SECURITY] [DLA 3024-1] python-django security update |
|
https://groups.google.com/forum/#%21topic/django-announce/fLUh_pOaKrY | |
FEDORA-2020-c2639662af | |
FEDORA-2020-2e7d30f7aa |