PYSEC-2021-109 — Vulnetix

PYSEC-2021-109 PUBLISHED CVSS 9.300000190734863 CRITICAL

Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input from a client of a web application.

Risk Scores

CVSS v4.0

9.300000190734863

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Affected Products

Vendor	Product	Versions
PyPI	django	3.1, 3.1.1, 3.1.10

Timeline

Jul 2, 2021 CVE Published
Dec 6, 2023 CVE Updated

References

https://docs.djangoproject.com/en/3.2/releases/security/ url
https://www.openwall.com/lists/oss-security/2021/07/02/2 url
https://groups.google.com/forum/#!forum/django-announce url
https://www.djangoproject.com/weblog/2021/jul/01/security-releases/ article
https://github.com/advisories/GHSA-xpfp-f569-q3p2 advisory

Open in Interactive Console →