Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
6.5
CVSSv2

CVE-2020-9402

Published: 05/03/2020 Updated: 07/11/2023
CVSS v2 Base Score: 6.5 | Impact Score: 6.4 | Exploitability Score: 8
CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8
VMScore: 584
Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P
Subscribe to Django

Vulnerability Summary

Django 1.11 prior to 1.11.29, 2.2 prior to 2.2.11, and 3.0 prior to 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

djangoproject django

debian debian linux 9.0

debian debian linux 10.0

fedoraproject fedora 31

fedoraproject fedora 32

netapp steelstore cloud integrated storage -

canonical ubuntu linux 18.04

canonical ubuntu linux 19.10

canonical ubuntu linux 16.04

Vendor Advisories

Debian CVElist Bug Report Logs: python-django: CVE-2020-9402
Debian Bug report logs - #953102 python-django: CVE-2020-9402 Package: src:python-django; Maintainer for src:python-django is Debian Python Modules Team <python-modules-team@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Wed, 4 Mar 2020 14:21:02 UTC Severity: important Tags: se ...
Ubuntu Security Notice: python-django vulnerability
Django could allow unintended access to the database ...
Debian Security Advisories: DSA-4705-1 python-django -- security update
It was discovered that Django, a high-level Python web development framework, did not properly sanitize input This would allow a remote attacker to perform SQL injection attacks, Cross-Site Scripting (XSS) attacks, or leak sensitive information For the oldstable distribution (stretch), these problems have been fixed in version 1:1107-2+deb9u9 ...
Arch Linux Issues:
A potential SQL injection has been found in Django before 304, via tolerance parameter in GIS functions and aggregates on Oracle ...

Mailing Lists

Full Disclosure: Django: CVE-2020-9402: Potential SQL injection via tolerance parameter in GIS functions and aggregates on Oracle
<!--X-Body-Begin--> <!--X-User-Header--> oss-sec mailing list archives <!--X-User-Header-End--> <!--X-TopPNI--> By Date By Thread </form> <!--X-TopPNI-End--> <!--X-MsgBody--> <!--X-Subject-Header-Begin--> Django: CVE-2020-9402: Potential SQL injection via tolerance parameter in GIS functions and aggregates on Oracle <!--X-Subject ...

References

CWE-89https://www.djangoproject.com/weblog/2020/mar/04/security-releases/https://docs.djangoproject.com/en/3.0/releases/security/https://usn.ubuntu.com/4296-1/https://security.netapp.com/advisory/ntap-20200327-0004/https://security.gentoo.org/glsa/202004-17https://www.debian.org/security/2020/dsa-4705https://lists.debian.org/debian-lts-announce/2022/05/msg00035.htmlhttps://groups.google.com/forum/#%21topic/django-announce/fLUh_pOaKrYhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UZMN2NKAGTFE3YKMNM2JVJG7R2W7LLHY/https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953102https://usn.ubuntu.com/4296-1/https://nvd.nist.gov
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-27975CVE-2024-2961CVE-2024-20380XML injectionHTML injectionCVE-2024-29204CVE-2023-51795memory leakCVE-2024-3470
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook