CVE-2020-9402

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Django versions 1.11 before 1.11.29 Django versions 2.2 before 2.2.11 Django versions 3.0 before 3.0.4

Description The issue allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL. This could potentially allow a remote attacker to execute arbitrary code.

Recommendations For Django version 1.11, update to version 1.11.29 or later. For Django version 2.2, update to version 2.2.11 or later. For Django version 3.0, update to version 3.0.4 or later. As a temporary workaround, consider avoiding the use of untrusted data as a tolerance parameter in GIS functions and aggregates on Oracle until a patch is applied.

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

ALT-PU-2020-1708

ALT-PU-2021-1636

BDU:2020-05726

BIT-DJANGO-2020-9402

CVE-2020-9402

DLA-3024-1

DSA-4705-1

GHSA-3GH2-XW74-JMCW

OPENSUSE-SU-2024:11205-1

OPENSUSE-SU-2024:13887-1

OPENSUSE-SU-2024:14208-1

OPENSUSE-SU-2026:10005-1

PYSEC-2020-345

PYSEC-2020-36

RHSA-2021:1313

SUSE-RU-2020:2161-1

SUSE-SU-2020:3309-1

USN-4296-1

Affected Products

Alt Linux

Django

Ubuntu

CVE-2020-9402

Weakness Enumeration

Related Identifiers

Affected Products

References · 268