CVE-2020-9402 — HIGH (8.8) — White Hats Nepal

Q: How severe is CVE-2020-9402?

CVE-2020-9402 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2020-9402?

Check the references section above for vendor advisories and patch information. Affected products include: Djangoproject Django, Debian Debian Linux, Fedoraproject Fedora, Netapp Steelstore Cloud Integrated Storage, Canonical Ubuntu Linux.

Vulnerability Description

Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.

CVSS Score

8.8

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Djangoproject	Django	>= 1.11, < 1.11.29
Debian	Debian Linux	9.0
Fedoraproject	Fedora	31
Netapp	Steelstore Cloud Integrated Storage	-
Canonical	Ubuntu Linux	16.04

Related Weaknesses (CWE)

CWE-89

References

https://docs.djangoproject.com/en/3.0/releases/security/PatchRelease NotesVendor Advisory
https://groups.google.com/forum/#%21topic/django-announce/fLUh_pOaKrY
https://lists.debian.org/debian-lts-announce/2022/05/msg00035.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://security.gentoo.org/glsa/202004-17Third Party Advisory
https://security.netapp.com/advisory/ntap-20200327-0004/Third Party Advisory
https://usn.ubuntu.com/4296-1/Third Party Advisory
https://www.debian.org/security/2020/dsa-4705Third Party Advisory
https://www.djangoproject.com/weblog/2020/mar/04/security-releases/PatchVendor Advisory
https://docs.djangoproject.com/en/3.0/releases/security/PatchRelease NotesVendor Advisory
https://groups.google.com/forum/#%21topic/django-announce/fLUh_pOaKrY
https://lists.debian.org/debian-lts-announce/2022/05/msg00035.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro

FAQ

What is CVE-2020-9402?

CVE-2020-9402 is a vulnerability with a CVSS score of 8.8 (HIGH). Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suit...

How severe is CVE-2020-9402?

CVE-2020-9402 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-9402?

Check the references section above for vendor advisories and patch information. Affected products include: Djangoproject Django, Debian Debian Linux, Fedoraproject Fedora, Netapp Steelstore Cloud Integrated Storage, Canonical Ubuntu Linux.