First published: Wed Mar 04 2020(Updated: )
Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/pulp | <0:2.21.5-2.el7 | 0:2.21.5-2.el7 |
redhat/python-django | <0:1.11.29-1.el7 | 0:1.11.29-1.el7 |
Djangoproject Django | >=1.11<1.11.29 | |
Djangoproject Django | >=2.2<2.2.11 | |
Djangoproject Django | >=3.0<3.0.4 | |
Debian Debian Linux | =9.0 | |
Debian Debian Linux | =10.0 | |
Fedoraproject Fedora | =31 | |
Fedoraproject Fedora | =32 | |
Netapp Steelstore Cloud Integrated Storage | ||
Canonical Ubuntu Linux | =16.04 | |
Canonical Ubuntu Linux | =18.04 | |
Canonical Ubuntu Linux | =19.10 | |
redhat/Django | <1.11.29 | 1.11.29 |
redhat/Django | <2.2.11 | 2.2.11 |
redhat/Django | <3.0.4 | 3.0.4 |
ubuntu/python-django | <2.2.11<1.11.29 | 2.2.11 1.11.29 |
ubuntu/python-django | <1:1.11.11-1ubuntu1.8 | 1:1.11.11-1ubuntu1.8 |
ubuntu/python-django | <1:1.11.22-1ubuntu1.3 | 1:1.11.22-1ubuntu1.3 |
ubuntu/python-django | <1.8.7-1ubuntu5.12 | 1.8.7-1ubuntu5.12 |
pip/django | >=2.2.0<2.2.11 | 2.2.11 |
pip/django | >=1.11.0<1.11.29 | 1.11.29 |
pip/django | >=3.0.0<3.0.4 | 3.0.4 |
debian/python-django | 1:1.11.29-1~deb10u1 1:1.11.29-1+deb10u11 2:2.2.28-1~deb11u2 3:3.2.19-1+deb12u1 3:4.2.11-1 |
There is no known mitigation for this issue, the flaw can only be resolved by applying updates.
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2020-9402 is a SQL injection vulnerability found in python-django.
CVE-2020-9402 allows SQL injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle.
The severity of CVE-2020-9402 is high, with a CVSS score of 8.8.
To fix CVE-2020-9402, upgrade Django to version 1.11.29, 2.2.11, or 3.0.4.
You can find more information about CVE-2020-9402 at CVE.org, NIST National Vulnerability Database, Django's official website, Bugzilla, and Red Hat's errata page.