CVE-2021-35042
published 2021-07-02CVE-2021-35042: Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input from a client of a web application.
PriorityP273critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
44.37%
98.6th percentile
Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input from a client of a web application.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | python-django | — | — |
| djangoproject | django | >= 3.0a1 < 3.1.13 | 3.1.13 |
| djangoproject | django | >= 3.1 < 3.1.13 | 3.1.13 |
| djangoproject | django | >= 3.1 < 3.1.13 | 3.1.13 |
| djangoproject | django | >= 3.2 < 3.2.5 | 3.2.5 |
| djangoproject | django | >= 3.2 < 3.2.5 | 3.2.5 |
| djangoproject | django | >= 3.2a1 < 3.2.5 | 3.2.5 |
| fedoraproject | fedora | — | — |
Detection & IOCsextracted from sources · hover to see the quote
othervuln.{{rand_string}}]--
- →HTTP 500 response body containing both 'ORDER BY' and either 'ProgrammingError' or 'DatabaseError' is a strong indicator of successful SQL injection probe against Django QuerySet.order_by.
- →Presence of Python DB adapter strings ('psycopg2', 'MySQLdb', 'sqlite3', 'cx_Oracle') in a 500 response body alongside ORDER BY errors confirms Django backend exposure.
- →FOFA/Shodan-style fingerprint: search for HTTP responses containing both 'ProgrammingError' and 'ORDER BY' to identify potentially vulnerable Django instances exposed to the internet.
- →The injection payload is delivered via a GET request query parameter. Monitor for query strings containing patterns like 'vuln.<alpha_string>]--' targeting order_by parameters.
- →Unsanitized user input passed to QuerySet.order_by() bypasses column reference validation via a deprecated code path; monitor application logs for deprecation warnings related to order_by alongside SQL errors. ↗
- ·Vulnerability only affects Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5; installations outside these version ranges are not affected. ↗
- ·The fuzzing detection template targets only GET requests; POST-based or other HTTP method variants of the same injection vector would not be caught by this rule.
- ·Detection relies on Django debug error pages being returned to the client (HTTP 500 with stack trace). Production deployments with DEBUG=False and custom error pages will suppress these indicators, making blind detection necessary.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_debian9.8LOW
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
SQL Injection in Django
ghsa·2021-09-22
CVE-2021-35042 [CRITICAL] CWE-89 SQL Injection in Django
SQL Injection in Django
Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input from a client of a web application.
OSV
SQL Injection in Django
osv·2021-09-22
CVE-2021-35042 [CRITICAL] SQL Injection in Django
SQL Injection in Django
Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input from a client of a web application.
OSV
CVE-2021-35042: Django 3
osv·2021-07-02
CVE-2021-35042 CVE-2021-35042: Django 3
Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input from a client of a web application.
Red Hat
django: potential SQL injection via unsanitized QuerySet.order_by() input
vendor_redhat·2021-07-01·CVSS 9.8
CVE-2021-35042 [CRITICAL] CWE-89 django: potential SQL injection via unsanitized QuerySet.order_by() input
django: potential SQL injection via unsanitized QuerySet.order_by() input
Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input from a client of a web application.
A flaw was found in django. Unsanitized user input passed to ``QuerySet.order_by()`` could bypass intended column reference validation in path marked for deprecation resulting in a potential SQL injection even if a deprecation warning is emitted. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to w
Debian
CVE-2021-35042: python-django - Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL i...
vendor_debian·2021·CVSS 9.8
CVE-2021-35042 [CRITICAL] CVE-2021-35042: python-django - Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL i...
Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input from a client of a web application.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
No detection rules found.
Nuclei
Django QuerySet.order_by - SQL Injection
nuclei·CVSS 9.8
CVE-2021-35042 [CRITICAL] Django QuerySet.order_by - SQL Injection
Django QuerySet.order_by - SQL Injection
Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 contain a SQL injection caused by untrusted input in QuerySet.order_by. Attackers can execute arbitrary SQL commands if they control order_by input parameters.
Template:
id: CVE-2021-35042
info:
name: Django QuerySet.order_by - SQL Injection
author: 0x_Akoko
severity: critical
description: |
Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 contain a SQL injection caused by untrusted input in QuerySet.order_by. Attackers can execute arbitrary SQL commands if they control order_by input parameters.
impact: |
Attackers can execute arbitrary SQL commands, potentially leading to data leakage, modification, or deletion.
remediation: |
Update to Django 3.1.13 or 3.2.5 or later versions.
reference:
- ht
No writeups or analysis indexed.
https://docs.djangoproject.com/en/3.2/releases/security/https://groups.google.com/forum/#%21forum/django-announcehttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SS6NJTBYWOX6J7G4U3LUOILARJKWPQ5Y/https://security.netapp.com/advisory/ntap-20210805-0008/https://www.djangoproject.com/weblog/2021/jul/01/security-releases/https://www.openwall.com/lists/oss-security/2021/07/02/2https://docs.djangoproject.com/en/3.2/releases/security/https://groups.google.com/forum/#%21forum/django-announcehttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SS6NJTBYWOX6J7G4U3LUOILARJKWPQ5Y/https://security.netapp.com/advisory/ntap-20210805-0008/https://www.djangoproject.com/weblog/2021/jul/01/security-releases/https://www.openwall.com/lists/oss-security/2021/07/02/2
2021-07-02
Published