Threat Encyclopedia

Django.QuerySet.Order_by.SQL.Injection

description-logoDescription

This indicates an attack attempt to exploit an SQL Injection Vulnerability in Python-django.
The vulnerability is due to incorrect input validation in QuerySet.order_by. A remote, authenticated attacker could exploit this vulnerability by sending a maliciously crafted request to the server. A successful attack may result in arbitrary SQL command execution against the database on the target server.

affected-products-logoAffected Products

Django 3.1.x before 3.1.13
Django 3.2.x before 3.2.5

Impact

System Compromise: Remote attackers can add, view, delete or modify data in the database of the affected application

recomended-action-logoRecommended Actions

Apply the most recent upgrade or patch from the vendor.
https://www.djangoproject.com/weblog/2021/jul/01/security-releases/

CVE References

CVE-2021-35042