CVE-2020-9402

Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.

Published: Mar 5, 2020
Updated: Nov 9, 2025
CVE: CVE-2020-9402
GHSA: GHSA-3gh2-xw74-jmcw
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.8
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Medium
Score: 6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P

CWEs:

CWE-89

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
djangoproject / django	3.0	3.0.4
djangoproject / django	2.2	2.2.11
djangoproject / django	1.11	1.11.29
debian / debian_linux	9.0	9.0.x
debian / debian_linux	10.0	10.0.x
fedoraproject / fedora	31	31.x
fedoraproject / fedora	32	32.x
canonical / ubuntu_linux	18.04	18.04.x
canonical / ubuntu_linux	19.10	19.10.x
canonical / ubuntu_linux	16.04	16.04.x
Django	-	1.11.29
Django	2.0.0	2.2.11
Django	3.0.0	3.0.4

Vulnerability Database

300,445

CVE-2020-9402

Deep Security Visibility Without the Complexity