CVE-2021-35042: SQL Injection in Django
9.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.91151%
CWE
Published
9/22/2021
Updated
9/20/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
Django | pip | >= 3.2a1, < 3.2.5 | 3.2.5 |
Django | pip | >= 3.0a1, < 3.1.13 | 3.1.13 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from insufficient validation in the order_by() handling. The commit diff shows the fix added a regex pattern (ORDER_PATTERN) to validate column references in django/db/models/sql/constants.py and modified add_ordering in query.py to use this check. Prior to the patch, the code only checked for '.' presence in the input string, allowing attackers to inject SQL via malformed order_by parameters. The direct modification of add_ordering in the security patch confirms this function's role in the vulnerability.