GHSA-3gh2-xw74-jmcw

Source

https://github.com/advisories/GHSA-3gh2-xw74-jmcw

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-3gh2-xw74-jmcw/GHSA-3gh2-xw74-jmcw.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-3gh2-xw74-jmcw

Aliases

Published

2020-06-05T14:52:07Z

Modified

2024-04-01T18:30:50.732523Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

SQL injection in Django

Details

Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.

References

Affected packages

PyPI / django

Package

Name: django; View open source insights on deps.dev
Purl: pkg:pypi/django

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.11.0

Fixed

1.11.29

Affected versions

1.*

1.11

1.11.1

1.11.2

1.11.3

1.11.4

1.11.5

1.11.6

1.11.7

1.11.8

1.11.9

1.11.10

1.11.11

1.11.12

1.11.13

1.11.14

1.11.15

1.11.16

1.11.17

1.11.18

1.11.20

1.11.21

1.11.22

1.11.23

1.11.24

1.11.25

1.11.26

1.11.27

1.11.28

PyPI / django

Package

Name: django; View open source insights on deps.dev
Purl: pkg:pypi/django

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.2.0

Fixed

2.2.11

Affected versions

2.*

2.2

2.2.1

2.2.2

2.2.3

2.2.4

2.2.5

2.2.6

2.2.7

2.2.8

2.2.9

2.2.10

PyPI / django

Package

Name: django; View open source insights on deps.dev
Purl: pkg:pypi/django

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0.0

Fixed

3.0.4

Affected versions

3.*

3.0

3.0.1

3.0.2

3.0.3