cbcvebase.
CVE-2021-35042
published 2021-07-02

CVE-2021-35042: Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input from a client of a web application.

PriorityP273critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
44.37%
98.6th percentile
Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input from a client of a web application.

Affected

8 ranges
VendorProductVersion rangeFixed in
debianpython-django
djangoprojectdjango>= 3.0a1 < 3.1.133.1.13
djangoprojectdjango>= 3.1 < 3.1.133.1.13
djangoprojectdjango>= 3.1 < 3.1.133.1.13
djangoprojectdjango>= 3.2 < 3.2.53.2.5
djangoprojectdjango>= 3.2 < 3.2.53.2.5
djangoprojectdjango>= 3.2a1 < 3.2.53.2.5
fedoraprojectfedora

Detection & IOCsextracted from sources · hover to see the quote

othervuln.{{rand_string}}]--
  • HTTP 500 response body containing both 'ORDER BY' and either 'ProgrammingError' or 'DatabaseError' is a strong indicator of successful SQL injection probe against Django QuerySet.order_by.
  • Presence of Python DB adapter strings ('psycopg2', 'MySQLdb', 'sqlite3', 'cx_Oracle') in a 500 response body alongside ORDER BY errors confirms Django backend exposure.
  • FOFA/Shodan-style fingerprint: search for HTTP responses containing both 'ProgrammingError' and 'ORDER BY' to identify potentially vulnerable Django instances exposed to the internet.
  • The injection payload is delivered via a GET request query parameter. Monitor for query strings containing patterns like 'vuln.<alpha_string>]--' targeting order_by parameters.
  • Unsanitized user input passed to QuerySet.order_by() bypasses column reference validation via a deprecated code path; monitor application logs for deprecation warnings related to order_by alongside SQL errors.
  • ·Vulnerability only affects Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5; installations outside these version ranges are not affected.
  • ·The fuzzing detection template targets only GET requests; POST-based or other HTTP method variants of the same injection vector would not be caught by this rule.
  • ·Detection relies on Django debug error pages being returned to the client (HTTP 500 with stack trace). Production deployments with DEBUG=False and custom error pages will suppress these indicators, making blind detection necessary.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_debian9.8LOW
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.