Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).
CVE-2020-9402 — SQL Injection in Django
Severity
8.8HIGHNVD
EPSS
85.5%
top 0.63%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
Timeline
PublishedMar 5
Latest updateJun 5
Description
Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9
Affected Packages2 packages
Also affects: Debian Linux 10.0, 9.0, Fedora 31, 32, Ubuntu Linux 16.04, 18.04, 19.10
Patches
🔴Vulnerability Details
4💥Exploits & PoCs
1Nuclei▶
Django SQL Injection
📋Vendor Advisories
3💬Community
6Bugzilla▶
CVE-2020-9402 python-django: django: potential SQL injection via "tolerance" parameter in GIS functions and aggregates on Oracle [fedora-all]↗2020-03-04
Bugzilla▶
CVE-2020-9402 python-django: django: potential SQL injection via "tolerance" parameter in GIS functions and aggregates on Oracle [epel-all]↗2020-03-04
Bugzilla▶
CVE-2020-9402 django: potential SQL injection via "tolerance" parameter in GIS functions and aggregates on Oracle↗2020-03-04
Bugzilla▶
CVE-2020-9402 django:1.6/python-django: django: potential SQL injection via "tolerance" parameter in GIS functions and aggregates on Oracle [fedora-all]↗2020-03-04
Bugzilla▶
CVE-2020-9402 python-django: django: potential SQL injection via "tolerance" parameter in GIS functions and aggregates on Oracle [openstack-rdo]↗2020-03-04