CVE-2020-9402

HIGH NUCLEI

Django 1.11-1.11.28, 2.2-2.2.10, 3.0-3.0.3 - SQL Injection via GIS Tolerance Parameter

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2020-9402 has a Nuclei detection template available — see the Nuclei card below for the Shodan/FOFA recon queries.

Description

Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.

Nuclei Templates (1)

Django SQL Injection
HIGHby geeknik,0x_Akoko
Shodan: cpe:"cpe:2.3:a:djangoproject:django"

References (10)

Core 10
Core References
Patch, Release Notes, Vendor Advisory x_refsource_misc
https://docs.djangoproject.com/en/3.0/releases/security/
Patch, Vendor Advisory x_refsource_confirm
https://www.djangoproject.com/weblog/2020/mar/04/security-releases/
Third Party Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/4296-1/
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20200327-0004/
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/202004-17
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2020/dsa-4705
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2022/05/msg00035.html

Scores

CVSS v3 8.8
EPSS 0.2251
EPSS Percentile 97.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-89
Status published
Products (12)
canonical/ubuntu_linux 16.04
canonical/ubuntu_linux 18.04
canonical/ubuntu_linux 19.10
debian/debian_linux 9.0
debian/debian_linux 10.0
djangoproject/django 1.11 - 1.11.29
fedoraproject/fedora 31
fedoraproject/fedora 32
netapp/steelstore_cloud_integrated_storage
pypi/Django 1.11 - 1.11.29PyPI
... and 2 more
Published Mar 05, 2020
Tracked Since Feb 18, 2026