HIGH 8.8

PYSEC-2020-345

Details

Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / django

Introduced in: 1.11 Fixed in: 1.11.29

Fix pip install --upgrade 'django>=1.11.29'

References

https://groups.google.com/forum/#%21topic/django-announce/fLUh_pOaKrY [WEB]
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ/ [WEB]
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UZMN2NKAGTFE3YKMNM2JVJG7R2W7LLHY/ [WEB]
https://lists.debian.org/debian-lts-announce/2022/05/msg00035.html [ADVISORY]
https://security.gentoo.org/glsa/202004-17 [ADVISORY]
https://security.netapp.com/advisory/ntap-20200327-0004/ [ADVISORY]
https://usn.ubuntu.com/4296-1/ [ADVISORY]
https://www.debian.org/security/2020/dsa-4705 [ADVISORY]
https://docs.djangoproject.com/en/3.0/releases/security/ [FIX]
https://www.djangoproject.com/weblog/2020/mar/04/security-releases/ [FIX]