Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.

The remote Debian 9 host has packages installed that are affected by a vulnerability as referenced in the dla-3024 advisory.

  - Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data     is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted     tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject     malicious SQL. (CVE-2020-9402)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:1313 advisory.

  - rubygem-rest-client: session fixation vulnerability Set-Cookie headers present in an HTTP 30x redirection     responses (CVE-2015-1820)

  - rubygem-rest-client: unsanitized application logging (CVE-2015-3448)

  - foreman: Managing repositories with their id via hammer does not respect the role filters (CVE-2017-2662)

  - rack-protection: Timing attack in authenticity_token.rb (CVE-2018-1000119)

  - rubygem-rack: hijack sessions by using timing attacks targeting the session id (CVE-2019-16782)

  - python-psutil: Double free because of refcount mishandling (CVE-2019-18874)

  - netty: compression/decompression codecs don't enforce limits on buffer allocation sizes (CVE-2020-11612)

  - foreman: world-readable OMAPI secret through the ISC DHCP server (CVE-2020-14335)

  - rubygem-activeview: Cross-site scripting in translation helpers (CVE-2020-15169)

  - resteasy-client: potential sensitive information leakage in JAX-RS RESTEasy Client's     WebApplicationException handling (CVE-2020-25633)

  - rubygem-activestorage: circumvention of file size limits in ActiveStorage (CVE-2020-8162)

  - rubygem-actionpack: possible strong parameters bypass (CVE-2020-8164)

  - rubygem-activesupport: potentially unintended unmarshalling of user-provided objects in MemCacheStore and     RedisCacheStore (CVE-2020-8165)

  - rubygem-actionpack: ability to forge per-form CSRF tokens given a global CSRF token (CVE-2020-8166)

  - rubygem-actionview: CSRF vulnerability in rails-ujs (CVE-2020-8167)

  - rubygem-rails: untrusted users able to run pending migrations in production (CVE-2020-8185)

  - django: potential SQL injection via tolerance parameter in GIS functions and aggregates on Oracle     (CVE-2020-9402)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

- Security fix for CVE-2020-7471.

  - Security fix for CVE-2020-9402.

  - Security fix for CVE-2020-13254.

  - Security fix for CVE-2020-13596.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that Django, a high-level Python web development framework, did not properly sanitize input. This would allow a remote attacker to perform SQL injection attacks, Cross-Site Scripting (XSS) attacks, or leak sensitive information.

The remote host is affected by the vulnerability described in GLSA-202004-17 (Django: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Django. Please review       the CVE identifiers referenced below for details.
  Impact :

    A remote attacker, by sending specially crafted input, could possibly       cause a Denial of Service condition, or alter the database.
  Workaround :

    There is no known workaround at this time.

MITRE CVE reports :

Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.

Norbert Szetei discovered that Django incorrectly handled the GIS functions and aggregates on Oracle. A remote attacker could possibly use this issue to perform a SQL injection attack.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
161614	Debian DLA-3024-1 : python-django - LTS security update	Nessus	Debian Local Security Checks	high
148903	RHEL 7 : Satellite 6.9 Release (Moderate) (RHSA-2021:1313)	Nessus	Red Hat Local Security Checks	high
137686	Fedora 32 : python-django (2020-c2639662af)	Nessus	Fedora Local Security Checks	critical
137680	Fedora 31 : python-django (2020-2e7d30f7aa)	Nessus	Fedora Local Security Checks	critical
137673	Debian DSA-4705-1 : python-django - security update	Nessus	Debian Local Security Checks	high
136216	GLSA-202004-17 : Django: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
134437	FreeBSD : Django -- potential SQL injection vulnerability (1685144e-63ff-11ea-a93a-080027846a02)	Nessus	FreeBSD Local Security Checks	high
134301	Ubuntu 16.04 LTS / 18.04 LTS : Django vulnerability (USN-4296-1)	Nessus	Ubuntu Local Security Checks	high

Detections

Analytics

CVE-2020-9402

high

Tenable Plugins

high

high

critical

critical

high

critical

high

high