SQL Injection Affecting django package, versions [3.2a1,3.2.5) [3.1a1,3.1.13)
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-DJANGO-1315688
- published 2 Jul 2021
- disclosed 1 Jul 2021
- credit Joel Saunders
Introduced: 1 Jul 2021
CVE-2021-35042 Open this link in a new tabHow to fix?
Upgrade Django to version 3.2.5, 3.1.13 or higher.
Overview
Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design.
Affected versions of this package are vulnerable to SQL Injection. Unsanitized user input passed to QuerySet.order_by() could bypass intended column reference validation in path marked for deprecation resulting in a potential SQL injection even if a deprecation warning is emitted.
As a mitigation the strict column reference validation was restored for the duration of the deprecation period. This regression appeared in 3.1 as a side effect of fixing the following ticket.
The issue is not present in the main branch as the deprecated path has been removed.