<p>Upgrade <code>Debian:12</code> <code>python-django</code> to version 2:2.2.11-1 or higher.</p>

SQL Injection Affecting python-django package, versions <2:2.2.11-1

Snyk CVSS

Attack Complexity Low

Confidentiality High

Integrity High

Availability High

Threat Intelligence

Exploit Maturity Proof of concept

EPSS 14.12% (96^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-DEBIAN12-PYTHONDJANGO-1557700
published 4 Mar 2020
disclosed 5 Mar 2020

Report a new vulnerability Found a mistake?

Introduced: 4 Mar 2020

CVE-2020-9402 Open this link in a new tab CWE-89 Open this link in a new tab

How to fix?

Upgrade Debian:12 python-django to version 2:2.2.11-1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream python-django package and not the python-django package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.