CVE-2020-9402: 
Django vulnerability analysis and mitigation

CVE-2020-9402 affects Django versions 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4. The vulnerability was discovered by Norbert Szetei of Doyensec and disclosed on March 4, 2020. The issue allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates specifically when using Oracle as the database backend (Django Security).

The vulnerability exists in the GIS functions and aggregates implementation when using Oracle as the database backend. By passing a suitably crafted tolerance parameter to these functions, an attacker could break the SQL escaping mechanism and inject malicious SQL code. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD Database).

Successful exploitation of this vulnerability could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). The attacker could potentially execute arbitrary SQL commands on the underlying Oracle database, compromising the confidentiality, integrity, and availability of the affected system (NetApp Advisory).

The Django team has released patches for all affected versions: Django 3.0.4, Django 2.2.11, and Django 1.11.29. Users are strongly encouraged to upgrade to these patched versions as soon as possible. The fixes have been applied to Django's master branch and the respective release branches (Django Security).