CVE-2020-9402
📋 TL;DR
This CVE allows SQL injection in Django when untrusted data is used as the tolerance parameter in GIS functions and aggregates on Oracle databases. Attackers can inject malicious SQL by crafting a tolerance value, potentially leading to data theft, modification, or deletion. Affected are Django applications using Oracle database backends with untrusted tolerance inputs.
💻 Affected Systems
- Django
📦 What is this software?
Django by Djangoproject
Django by Djangoproject
Django by Djangoproject
Fedora by Fedoraproject
Fedora by Fedoraproject
Steelstore Cloud Integrated Storage by Netapp
View all CVEs affecting Steelstore Cloud Integrated Storage →
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
⚠️ Risk & Real-World Impact
Worst Case
Full database compromise including data exfiltration, modification, or deletion, and potential privilege escalation to execute arbitrary SQL commands.
Likely Case
Data leakage or manipulation of database contents accessible to the application's database user.
If Mitigated
No impact if tolerance parameters are properly validated or if Oracle database is not used.
🎯 Exploit Status
Exploitation requires application to use Oracle database and accept untrusted tolerance parameters. No public exploit code identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Django 1.11.29, 2.2.11, 3.0.4 or later
Vendor Advisory: https://docs.djangoproject.com/en/3.0/releases/security/
Restart Required: Yes
Instructions:
1. Upgrade Django to patched version using pip: 'pip install Django==1.11.29' or appropriate version. 2. Restart Django application server. 3. Test application functionality.
🔧 Temporary Workarounds
Input Validation
allValidate and sanitize all tolerance parameter inputs before passing to GIS functions.
Database Backend Switch
allTemporarily switch from Oracle to another supported database backend if possible.
🧯 If You Can't Patch
- Implement strict input validation for all tolerance parameters in GIS functions.
- Apply network segmentation to isolate Oracle database from untrusted networks.
🔍 How to Verify
Check if Vulnerable:
Check Django version and if using Oracle backend with GIS functions accepting tolerance parameters.Check Version:
python -m django --versionVerify Fix Applied:
Verify Django version is 1.11.29+, 2.2.11+, or 3.0.4+ using 'python -m django --version'.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in Django/Oracle logs
- Errors from malformed tolerance parameters
Network Indicators:
- Unusual database query patterns from application servers
SIEM Query:
source="django.logs" AND ("tolerance" OR "gis_" OR "oracle") AND (sql OR injection OR error)🔗 References
- https://docs.djangoproject.com/en/3.0/releases/security/
- https://groups.google.com/forum/#%21topic/django-announce/fLUh_pOaKrY
- https://lists.debian.org/debian-lts-announce/2022/05/msg00035.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UZMN2NKAGTFE3YKMNM2JVJG7R2W7LLHY/
- https://security.gentoo.org/glsa/202004-17
- https://security.netapp.com/advisory/ntap-20200327-0004/
- https://usn.ubuntu.com/4296-1/
- https://www.debian.org/security/2020/dsa-4705
- https://www.djangoproject.com/weblog/2020/mar/04/security-releases/
- https://docs.djangoproject.com/en/3.0/releases/security/
- https://groups.google.com/forum/#%21topic/django-announce/fLUh_pOaKrY
- https://lists.debian.org/debian-lts-announce/2022/05/msg00035.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4A2AP4T7RKPBCLTI2NNQG3T6MINDUUMZ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UZMN2NKAGTFE3YKMNM2JVJG7R2W7LLHY/
- https://security.gentoo.org/glsa/202004-17
- https://security.netapp.com/advisory/ntap-20200327-0004/
- https://usn.ubuntu.com/4296-1/
- https://www.debian.org/security/2020/dsa-4705
- https://www.djangoproject.com/weblog/2020/mar/04/security-releases/
