HTTP: Django allows SQL Injection

This signature detects attempts to exploit a known vulnerability against Django. A successful attack can lead to command injection and arbitrary code execution.

Extended Description

Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.

Affected Products

Debian debian_linux

References

CVE: CVE-2020-9402

Short Name
HTTP:SQL:INJ:DJANGO-SQL-INJ
Severity
Minor
Recommended
False
Recommended Action
Drop
Category
HTTP
Keywords
CVE-2020-9402 Django Injection SQL allows
Release Date
11/30/2022
Supported Platforms

srx-branch-12.3

srx-19.3

srx-branch-19.3

vsrx3bsd-19.2

srx-branch-19.4

vsrx-19.4

mx-12.3

mx-19.4

vmx-19.4

mx-19.3

vsrx3bsd-19.4

srx-19.4

vsrx-12.3

vmx-19.3

vsrx-19.2

srx-12.3

Sigpack Version
3590
False Positive
Unknown
Vendors

Debian

Fedoraproject

Netapp

Djangoproject

Canonical

Found a potential security threat?