<p>Upgrade <code>Alpine:3.20</code> <code>py3-django</code> to version 1.11.29-r0 or higher.</p>

SQL Injection Affecting py3-django package, versions <1.11.29-r0

Threat Intelligence

Proof of concept

18.5% (97^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-ALPINE320-PY3DJANGO-7013839
published 23 May 2024
disclosed 5 Mar 2020

Report a new vulnerability Found a mistake?

Introduced: 5 Mar 2020

CVE-2020-9402 Open this link in a new tab CWE-89 Open this link in a new tab

How to fix?

Upgrade Alpine:3.20 py3-django to version 1.11.29-r0 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream py3-django package and not the py3-django package as distributed by Alpine. See How to fix? for Alpine:3.20 relevant fixed versions and status.

Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.

References

CVSS Scores

version 3.1

Attack Vector (AV)

Network
Attack Complexity (AC)

Low
Privileges Required (PR)

Low
User Interaction (UI)

None

Scope (S)

Unchanged

Confidentiality (C)

High
Integrity (I)

High
Availability (A)

High