CVE-2021-35042

Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.orderby SQL injection if orderby is untrusted input from a client of a web application.

References

Affected packages

Git / github.com/django/django

Affected ranges

Type: GIT
Repo: https://github.com/django/django
Events: Introduced

0b8a0296bfd30748f08021834e95cdae241686e8

Fixed

43873b9c92cfe68a082c7feda86f6fb95a3e902c

Introduced

3591e1c1acbd7c13174275367c3fdf012cb0413b

Fixed

0eca7a66239ef646f59fe2af643199275dae7a35

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-35042.json"

Git / github.com/python/cpython

Affected ranges

Type: GIT
Repo: https://github.com/python/cpython
Events: Introduced

29360893df0931703cb2fe0c0fbc0fc963e64ead

Fixed

bfe36ec1f580248d5e718667c204974275f8974a

Affected versions

2.*

2.5

v2.*

v2.5

v2.5.1

v2.5.1c1

v2.5.2

v2.5.2c1

v2.5.3

v2.5.3c1

v2.5.4

v2.5.5

v2.5.5c1

v2.5.5c2

v2.5.6

v2.5.6c1

v2.5a0

v2.5a1

v2.5a2

v2.5b1

v2.5b2

v2.5b3

v2.5c1

v2.5c2

v2.6

v2.6.1

v2.6.2

v2.6.2c1

v2.6.3

v2.6.3rc1

v2.6.4

v2.6.4rc1

v2.6.4rc2

v2.6.5

v2.6.5rc1

v2.6.5rc2

v2.6.6

v2.6.6rc1

v2.6.6rc2

v2.6.7

v2.6.8

v2.6.8rc1

v2.6.8rc2

v2.6a1

v2.6a2

v2.6a3

v2.6b1

v2.6b2

v2.6b3

v2.6rc1

v2.6rc2

v2.7

v2.7.1

v2.7.1rc1

v2.7.2

v2.7.2rc1

v2.7.3

v2.7.3rc1

v2.7.3rc2

v2.7a1

v2.7a2

v2.7a3

v2.7a4

v2.7b1

v2.7b2

v2.7rc1

v2.7rc2

v3.*

v3.1.1

v3.1.1rc1

v3.1.2

v3.1.2rc1

v3.1.3

v3.1.3rc1

v3.1.4

v3.1.4rc1

v3.1.5

v3.1.5rc1

v3.1.5rc2

v3.2

v3.2.1

v3.2.1b1

v3.2.1rc1

v3.2.1rc2

v3.2.2

v3.2.2rc1

v3.2.3

v3.2.3rc1

v3.2.3rc2

v3.2.4

v3.2.4rc1

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-35042.json"