Lucene search

GoogleOSV:BIT-DJANGO-2020-9402

HistoryMar 06, 2024 - 10:55 a.m.

BIT-django-2020-9402

2024-03-0610:55:44

Google

osv.dev

django

sql injection

gis

oracle

security

7.7 High

AI Score

Confidence

Low

0.141 Low

EPSS

Percentile

95.7%

JSON

Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.

CPENameOperatorVersion
djangolt1.11.29
djangolt3.0.4
djangoge2.2.0
djangolt2.2.11
djangoge1.11.0
djangoge3.0.0

Name	Operator	Version
django	lt	1.11.29
django	lt	3.0.4
django	ge	2.2.0
django	lt	2.2.11
django	ge	1.11.0
django	ge	3.0.0

References

docs.djangoproject.com/en/3.0/releases/security/

groups.google.com/forum/#%21topic/django-announce/fLUh_pOaKrY

lists.debian.org/debian-lts-announce/2022/05/msg00035.html

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UZMN2NKAGTFE3YKMNM2JVJG7R2W7LLHY/

security.gentoo.org/glsa/202004-17

security.netapp.com/advisory/ntap-20200327-0004/

usn.ubuntu.com/4296-1/

www.debian.org/security/2020/dsa-4705

www.djangoproject.com/weblog/2020/mar/04/security-releases/