Vulnerability CVE-2020-9402: Information

Description

Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.

Severity: HIGH (8.8) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2020-9402
Published: March 5, 2020
Modified: Nov. 7, 2023
Error type identifier: CWE-89

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
python-module-djangop91.11.29-alt21.11.29-alt2ALT-PU-2021-1636-1266900Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://www.djangoproject.com/weblog/2020/mar/04/security-releases/
  • Patch
  • Vendor Advisory
https://docs.djangoproject.com/en/3.0/releases/security/
  • Patch
  • Release Notes
  • Vendor Advisory
USN-4296-1
  • Third Party Advisory
https://security.netapp.com/advisory/ntap-20200327-0004/
  • Third Party Advisory
GLSA-202004-17
  • Third Party Advisory
DSA-4705
  • Third Party Advisory
[debian-lts-announce] 20220526 [SECURITY] [DLA 3024-1] python-django security update
  • Mailing List
  • Third Party Advisory
https://groups.google.com/forum/#%21topic/django-announce/fLUh_pOaKrY
    FEDORA-2020-c2639662af
      FEDORA-2020-2e7d30f7aa

          1. Configuration 1

            cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*
            Start including
            3.0
            End excliding
            3.0.4
            cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*
            Start including
            2.2
            End excliding
            2.2.11
            cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*
            Start including
            1.11
            End excliding
            1.11.29

            Configuration 2

            cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
            cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

            Configuration 3

            cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
            cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*

            Configuration 4

            cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:*

            Configuration 5

            cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
            cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*
            cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*
        VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
        Version: v24.4.2
        Back to top