Lucene search

K

[email protected]NVD:CVE-2020-9402

HistoryMar 05, 2020 - 3:15 p.m.

CVE-2020-9402

2020-03-0515:15:12

CWE-89

[email protected]

web.nvd.nist.gov

1

CVSS2

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.9

Confidence

High

EPSS

0.14

Percentile

95.7%

Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.

Affected configurations

NVD

Node

djangoprojectdjangoRange1.11–1.11.29

OR

djangoprojectdjangoRange2.2–2.2.11

OR

djangoprojectdjangoRange3.0–3.0.4

Node

debiandebian_linuxMatch9.0

OR

debiandebian_linuxMatch10.0

Node

fedoraprojectfedoraMatch31

OR

fedoraprojectfedoraMatch32

Node

netappsteelstore_cloud_integrated_storageMatch-

Node

canonicalubuntu_linuxMatch16.04esm

OR

canonicalubuntu_linuxMatch18.04lts

OR

canonicalubuntu_linuxMatch19.10

References

docs.djangoproject.com/en/3.0/releases/security/

groups.google.com/forum/#%21topic/django-announce/fLUh_pOaKrY

lists.debian.org/debian-lts-announce/2022/05/msg00035.html

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UZMN2NKAGTFE3YKMNM2JVJG7R2W7LLHY/

security.gentoo.org/glsa/202004-17

security.netapp.com/advisory/ntap-20200327-0004/

usn.ubuntu.com/4296-1/

www.debian.org/security/2020/dsa-4705

www.djangoproject.com/weblog/2020/mar/04/security-releases/

CVSS2

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.9

Confidence

High

EPSS

0.14

Percentile

95.7%

Related for NVD:CVE-2020-9402

osv5 nuclei1 openvas6 nessus8 alpinelinux1 veracode1 archlinux1 ubuntucve1 cvelist1 github1 freebsd1 cve1 prion1 debiancve1 debian3 ubuntu1 redhatcve1 altlinux2 fedora2 gentoo1 redhat1