CVE-2020-9402
published 2020-03-05CVE-2020-9402: Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions…
PriorityP272high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
22.51%
97.4th percentile
Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | python-django | < python-django 2:2.2.11-1 (bookworm) | python-django 2:2.2.11-1 (bookworm) |
| djangoproject | django | >= 1.11 < 1.11.29 | 1.11.29 |
| djangoproject | django | >= 1.11 < 1.11.29 | 1.11.29 |
| djangoproject | django | >= 2.2 < 2.2.11 | 2.2.11 |
| djangoproject | django | >= 2.2 < 2.2.11 | 2.2.11 |
| djangoproject | django | >= 3.0 < 3.0.4 | 3.0.4 |
| djangoproject | django | >= 3.0 < 3.0.4 | 3.0.4 |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
Detection & IOCsextracted from sources · hover to see the quote
other20) = 1 OR (select utl_inaddr.get_host_name((SELECT version FROM v$instance)) from dual) is null OR (1+1↗
- →Look for HTTP responses containing Django database error strings 'DatabaseError at', 'ORA-29257:', and 'ORA-06512:' together with 'Request Method:' — these indicate successful SQL injection triggering an Oracle error via the tolerance parameter. ↗
- →Fuzz query parameters in GET requests with the Oracle SQL injection payload targeting the GIS tolerance parameter; the attack is delivered via URL query string parameters. ↗
- →Use Shodan query 'cpe:"cpe:2.3:a:djangoproject:django"' to identify exposed Django instances potentially vulnerable to this CVE. ↗
- ·The vulnerability only affects Django deployments using GIS functions and aggregates on Oracle backends; non-Oracle databases are not affected. ↗
- ·Red Hat OpenStack Platform, Red Hat Update Infrastructure 3, and Red Hat Ceph Storage ship the flawed code but do not use or support the GIS functionality — exploitation is not applicable in those deployments. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8LOW
vendor_redhat8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Django vulnerability
vendor_ubuntu·2020-03-04
CVE-2020-9402 Django vulnerability
Title: Django vulnerability
Summary: Django could allow unintended access to the database.
Norbert Szetei discovered that Django incorrectly handled the GIS functions
and aggregates on Oracle. A remote attacker could possibly use this issue
to perform an SQL injection attack.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
django: potential SQL injection via "tolerance" parameter in GIS functions and aggregates on Oracle
vendor_redhat·2020-03-04·CVSS 8.8
CVE-2020-9402 [HIGH] CWE-89 django: potential SQL injection via "tolerance" parameter in GIS functions and aggregates on Oracle
django: potential SQL injection via "tolerance" parameter in GIS functions and aggregates on Oracle
Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.
A SQL-injection flaw was found in python-django, where GIS functions and aggregates in Oracle did not correctly neutralize tolerance-parameter data. A remote attacker could use this flaw to submit crafted data to inject malicious SQL.
Statement: Although the following products ship the flawed code, they do not use or support its functionality and therefore will not be
Debian
CVE-2020-9402: python-django - Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL I...
vendor_debian·2020·CVSS 8.8
CVE-2020-9402 [HIGH] CVE-2020-9402: python-django - Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL I...
Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.
Scope: local
bookworm: resolved (fixed in 2:2.2.11-1)
bullseye: resolved (fixed in 2:2.2.11-1)
forky: resolved (fixed in 2:2.2.11-1)
sid: resolved (fixed in 2:2.2.11-1)
trixie: resolved (fixed in 2:2.2.11-1)
GHSA
SQL injection in Django
ghsa·2020-06-05
CVE-2020-9402 [HIGH] CWE-89 SQL injection in Django
SQL injection in Django
Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.
OSV
SQL injection in Django
osv·2020-06-05
CVE-2020-9402 [HIGH] SQL injection in Django
SQL injection in Django
Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.
OSV
CVE-2020-9402: Django 1
osv·2020-03-05·CVSS 8.8
CVE-2020-9402 [HIGH] CVE-2020-9402: Django 1
Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.
No detection rules found.
Nuclei
Django SQL Injection
nuclei·CVSS 8.8
CVE-2020-9402 [HIGH] Django SQL Injection
Django SQL Injection
Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allow SQL injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it is possible to break character escaping and inject malicious SQL.
Template:
id: CVE-2020-9402
info:
name: Django SQL Injection
author: geeknik,0x_Akoko
severity: high
description: |
Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allow SQL injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it is possible to break character escaping and inject malici
Bugzilla
CVE-2020-9402 python-django: django: potential SQL injection via "tolerance" parameter in GIS functions and aggregates on Oracle [fedora-all]
bugzilla·2020-03-04·CVSS 8.8
CVE-2020-9402 [HIGH] CVE-2020-9402 python-django: django: potential SQL injection via "tolerance" parameter in GIS functions and aggregates on Oracle [fedora-all]
CVE-2020-9402 python-django: django: potential SQL injection via "tolerance" parameter in GIS functions and aggregates on Oracle [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commi
Bugzilla
CVE-2020-9402 python-django: django: potential SQL injection via "tolerance" parameter in GIS functions and aggregates on Oracle [epel-all]
bugzilla·2020-03-04·CVSS 8.8
CVE-2020-9402 [HIGH] CVE-2020-9402 python-django: django: potential SQL injection via "tolerance" parameter in GIS functions and aggregates on Oracle [epel-all]
CVE-2020-9402 python-django: django: potential SQL injection via "tolerance" parameter in GIS functions and aggregates on Oracle [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit me
Bugzilla
CVE-2020-9402 django: potential SQL injection via "tolerance" parameter in GIS functions and aggregates on Oracle
bugzilla·2020-03-04·CVSS 8.8
CVE-2020-9402 [HIGH] CVE-2020-9402 django: potential SQL injection via "tolerance" parameter in GIS functions and aggregates on Oracle
CVE-2020-9402 django: potential SQL injection via "tolerance" parameter in GIS functions and aggregates on Oracle
A flaw was found in Django in a way that GIS functions and aggregates on Oracle were subject to SQL injection, using a suitably crafted tolerance.
Reference:
https://www.djangoproject.com/weblog/2020/mar/04/security-releases/
Discussion:
Created django:1.6/python-django tracking bugs for this issue:
Affects: fedora-all [bug 1810097]
Created python-django tracking bugs for this issue:
Affects: epel-all [bug 1810094]
Affects: fedora-all [bug 1810093]
Affects: openstack-rdo [bug 1810096]
Created python-django16 tracking bugs for this issue:
Affects: epel-7 [bug 1810095]
---
External References:
https://www.djangoproject.com/weblog/2020/mar/04/security-releases/
---
Bugzilla
CVE-2020-9402 django:1.6/python-django: django: potential SQL injection via "tolerance" parameter in GIS functions and aggregates on Oracle [fedora-all]
bugzilla·2020-03-04·CVSS 8.8
CVE-2020-9402 [HIGH] CVE-2020-9402 django:1.6/python-django: django: potential SQL injection via "tolerance" parameter in GIS functions and aggregates on Oracle [fedora-all]
CVE-2020-9402 django:1.6/python-django: django: potential SQL injection via "tolerance" parameter in GIS functions and aggregates on Oracle [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
f
Bugzilla
CVE-2020-9402 python-django: django: potential SQL injection via "tolerance" parameter in GIS functions and aggregates on Oracle [openstack-rdo]
bugzilla·2020-03-04·CVSS 8.8
CVE-2020-9402 [HIGH] CVE-2020-9402 python-django: django: potential SQL injection via "tolerance" parameter in GIS functions and aggregates on Oracle [openstack-rdo]
CVE-2020-9402 python-django: django: potential SQL injection via "tolerance" parameter in GIS functions and aggregates on Oracle [openstack-rdo]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of openstack-rdo.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg
Bugzilla
CVE-2020-9402 python-django16: django: potential SQL injection via "tolerance" parameter in GIS functions and aggregates on Oracle [epel-7]
bugzilla·2020-03-04·CVSS 8.8
CVE-2020-9402 [HIGH] CVE-2020-9402 python-django16: django: potential SQL injection via "tolerance" parameter in GIS functions and aggregates on Oracle [epel-7]
CVE-2020-9402 python-django16: django: potential SQL injection via "tolerance" parameter in GIS functions and aggregates on Oracle [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit mess
https://docs.djangoproject.com/en/3.0/releases/security/https://groups.google.com/forum/#%21topic/django-announce/fLUh_pOaKrYhttps://lists.debian.org/debian-lts-announce/2022/05/msg00035.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UZMN2NKAGTFE3YKMNM2JVJG7R2W7LLHY/https://security.gentoo.org/glsa/202004-17https://security.netapp.com/advisory/ntap-20200327-0004/https://usn.ubuntu.com/4296-1/https://www.debian.org/security/2020/dsa-4705https://www.djangoproject.com/weblog/2020/mar/04/security-releases/https://docs.djangoproject.com/en/3.0/releases/security/https://groups.google.com/forum/#%21topic/django-announce/fLUh_pOaKrYhttps://lists.debian.org/debian-lts-announce/2022/05/msg00035.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UZMN2NKAGTFE3YKMNM2JVJG7R2W7LLHY/https://security.gentoo.org/glsa/202004-17https://security.netapp.com/advisory/ntap-20200327-0004/https://usn.ubuntu.com/4296-1/https://www.debian.org/security/2020/dsa-4705https://www.djangoproject.com/weblog/2020/mar/04/security-releases/
2020-03-05
Published