CVE-2020-9402

Published: 4 March 2020

Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.

Priority

CVSS 3 base score: 8.8

Status

Package	Release	Status
python-django Launchpad, Ubuntu, Debian	bionic	Released (1:1.11.11-1ubuntu1.8)
	eoan	Released (1:1.11.22-1ubuntu1.3)
	precise	Does not exist
	trusty	Not vulnerable
	upstream	Released (2.2.11,1.11.29)
	xenial	Released (1.8.7-1ubuntu5.12)

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9402
https://www.djangoproject.com/weblog/2020/mar/04/security-releases/
https://ubuntu.com/security/notices/USN-4296-1
NVD
Launchpad
Debian

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›