Описание
SQL injection in Django
Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2020-9402
- https://github.com/django/django/commit/6695d29b1c1ce979725816295a26ecc64ae0e927
- https://docs.djangoproject.com/en/3.0/releases/security
- https://github.com/advisories/GHSA-3gh2-xw74-jmcw
- https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2020-36.yaml
- https://groups.google.com/forum/#!topic/django-announce/fLUh_pOaKrY
- https://lists.debian.org/debian-lts-announce/2022/05/msg00035.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UZMN2NKAGTFE3YKMNM2JVJG7R2W7LLHY
- https://security.gentoo.org/glsa/202004-17
- https://security.netapp.com/advisory/ntap-20200327-0004
- https://usn.ubuntu.com/4296-1
- https://www.debian.org/security/2020/dsa-4705
- https://www.djangoproject.com/weblog/2020/mar/04/security-releases
Пакеты
Django
>= 1.11, < 1.11.29
1.11.29
Django
>= 2.2, < 2.2.11
2.2.11
Django
>= 3.0, < 3.0.4
3.0.4
Связанные уязвимости
Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.
Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.
Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.
Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 al ...
Уязвимость библиотеки Django для языка программирования Python, позволяющая нарушителю выполнить произвольный код