Safety vulnerability ID: 38010
The information on this page was manually curated by our Cybersecurity Intelligence Team.
Django 1.11.29, 2.2.11 and 3.0.4 includes a fix for CVE-2020-9402: Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.
https://www.djangoproject.com/weblog/2020/mar/04/security-releases
Latest version: 5.0.4
A high-level Python web framework that encourages rapid development and clean, pragmatic design.
Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.
CONFIRM:https://www.djangoproject.com/weblog/2020/mar/04/security-releases/: https://www.djangoproject.com/weblog/2020/mar/04/security-releases/
MISC:https://docs.djangoproject.com/en/3.0/releases/security/: https://docs.djangoproject.com/en/3.0/releases/security/
MISC:https://groups.google.com/forum/#!topic/django-announce/fLUh_pOaKrY: https://groups.google.com/forum/#%21topic/django-announce/fLUh_pOaKrY
Scan your Python project for dependency vulnerabilities in two minutes
Scan your application