Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
archlinuxArchLinuxASA-202107-11
HistoryJul 03, 2021 - 12:00 a.m.

[ASA-202107-11] python-django: insufficient validation

2021-07-0300:00:00
security.archlinux.org
141

0.003 Low

EPSS

Percentile

65.2%

JSON

Arch Linux Security Advisory ASA-202107-11

Severity: High
Date : 2021-07-03
CVE-ID : CVE-2021-35042
Package : python-django
Type : insufficient validation
Remote : Yes
Link : https://security.archlinux.org/AVG-2123

Summary

The package python-django before version 3.2.5-1 is vulnerable to
insufficient validation.

Resolution

Upgrade to 3.2.5-1.

pacman -Syu “python-django>=3.2.5-1”

The problem has been fixed upstream in version 3.2.5.

Workaround

None.

Description

A security issue has been found in Django before version 3.2.5.
Unsanitized user input passed to QuerySet.order_by() could bypass
intended column reference validation in path marked for deprecation
resulting in a potential SQL injection even if a deprecation warning is
emitted. As a mitigation the strict column reference validation was
restored for the duration of the deprecation period.

Impact

A remote attacker is able to perform a SQL injection via unsanitized
user input passed to QuerySet.order_by().

References

https://docs.djangoproject.com/en/3.2/releases/3.2.5/#cve-2021-35042-potential-sql-injection-via-unsanitized-queryset-order-by-input
https://github.com/django/django/commit/a34a5f724c5d5adb2109374ba3989ebb7b11f81f
https://security.archlinux.org/CVE-2021-35042

OSVersionArchitecturePackageVersionFilename
ArchLinuxanyanypython-django< 3.2.5-1UNKNOWN

Related

altlinux 1
githubexploit 5
openvas 4
ubuntucve 1
osv 4
cvelist 1
alpinelinux 1
fedora 1
prion 1
debiancve 1
cve 1
redhatcve 1
github 1
mageia 1
altlinux
altlinux
Security fix for the ALT Linux 10 package python3-module-django version 3.2.6-alt1
2021-09-10 00:00:00
githubexploit
githubexploit
Exploit for SQL Injection in Djangoproject Django
2021-07-10 12:38:52
Exploit for SQL Injection in Djangoproject Django
2021-09-24 15:30:25
Exploit for SQL Injection in Djangoproject Django
2022-04-25 02:50:00
openvas
openvas
Django 3.1 < 3.1.13, 3.2 < 3.2.5 SQLi Vulnerability - Windows
2021-07-05 00:00:00
Fedora: Security Advisory for python-django (FEDORA-2021-78e501d62a)
2021-08-18 00:00:00
Django 3.1 < 3.1.13, 3.2 < 3.2.5 SQLi Vulnerability - Linux
2021-07-05 00:00:00
ubuntucve
ubuntucve
CVE-2021-35042
2021-07-01 00:00:00
osv
osv
CVE-2021-35042
2021-07-02 10:15:07
BIT-django-2021-35042
2024-03-06 10:54:20
PYSEC-2021-109
2021-07-02 10:15:00
cvelist
cvelist
CVE-2021-35042
2021-07-02 09:54:11
alpinelinux
alpinelinux
CVE-2021-35042
2021-07-02 10:15:00
fedora
fedora
[SECURITY] Fedora 34 Update: python-django-3.1.13-1.fc34
2021-08-18 01:12:29
prion
prion
Sql injection
2021-07-02 10:15:00
debiancve
debiancve
CVE-2021-35042
2021-07-02 10:15:00
cve
cve
CVE-2021-35042
2021-07-02 10:15:00
redhatcve
redhatcve
CVE-2021-35042
2021-07-01 17:23:11
github
github
SQL Injection in Django
2021-09-22 17:34:49
mageia
mageia
Updated python-django package fixes security vulnerabilities
2021-07-16 11:25:31

0.003 Low

EPSS

Percentile

65.2%

JSON
Related for ASA-202107-11
altlinux1githubexploit5openvas4ubuntucve1osv4cvelist1alpinelinux1fedora1prion1debiancve1cve1redhatcve1github1mageia1