cbcvebase.
CVE-2020-9402
published 2020-03-05

CVE-2020-9402: Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions…

PriorityP272high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
22.51%
97.4th percentile
Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.

Affected

14 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debiandebian_linux
debiandebian_linux
debianpython-django< python-django 2:2.2.11-1 (bookworm)python-django 2:2.2.11-1 (bookworm)
djangoprojectdjango>= 1.11 < 1.11.291.11.29
djangoprojectdjango>= 1.11 < 1.11.291.11.29
djangoprojectdjango>= 2.2 < 2.2.112.2.11
djangoprojectdjango>= 2.2 < 2.2.112.2.11
djangoprojectdjango>= 3.0 < 3.0.43.0.4
djangoprojectdjango>= 3.0 < 3.0.43.0.4
fedoraprojectfedora
fedoraprojectfedora

Detection & IOCsextracted from sources · hover to see the quote

other20) = 1 OR (select utl_inaddr.get_host_name((SELECT version FROM v$instance)) from dual) is null OR (1+1
  • Look for HTTP responses containing Django database error strings 'DatabaseError at', 'ORA-29257:', and 'ORA-06512:' together with 'Request Method:' — these indicate successful SQL injection triggering an Oracle error via the tolerance parameter.
  • Fuzz query parameters in GET requests with the Oracle SQL injection payload targeting the GIS tolerance parameter; the attack is delivered via URL query string parameters.
  • Use Shodan query 'cpe:"cpe:2.3:a:djangoproject:django"' to identify exposed Django instances potentially vulnerable to this CVE.
  • ·The vulnerability only affects Django deployments using GIS functions and aggregates on Oracle backends; non-Oracle databases are not affected.
  • ·Red Hat OpenStack Platform, Red Hat Update Infrastructure 3, and Red Hat Ceph Storage ship the flawed code but do not use or support the GIS functionality — exploitation is not applicable in those deployments.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8LOW
vendor_redhat8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.