CVE-2021-35042

CVSS v4.0

Critical

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Django versions 3.1.x through 3.1.12 Django versions 3.2.x through 3.2.4

Description The issue is related to the QuerySet.order by() function in the Django web application platform, which does not properly protect the SQL query structure. This allows for SQL injection if the order by parameter is based on untrusted input from a client. The exploitation of this issue may enable a remote attacker to execute arbitrary commands.

Recommendations For Django versions 3.1.x through 3.1.12, update to version 3.1.13 or later. For Django versions 3.2.x through 3.2.4, update to version 3.2.5 or later. As a temporary workaround, consider validating and sanitizing any untrusted input used in the order by parameter to prevent SQL injection attacks. Restrict access to the QuerySet.order by() function to minimize the risk of exploitation.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

ALT-PU-2021-2575

ALT-PU-2021-2770

BDU:2021-03557

BIT-DJANGO-2021-35042

CVE-2021-35042

GHSA-XPFP-F569-Q3P2

MGASA-2021-0356

OPENSUSE-SU-2024:11205-1

OPENSUSE-SU-2024:13887-1

OPENSUSE-SU-2024:14208-1

OPENSUSE-SU-2026:10005-1

PYSEC-2021-109

Affected Products

Alt Linux

Django

CVE-2021-35042

Weakness Enumeration

Related Identifiers

Affected Products

References · 122