GHSA-xpfp-f569-q3p2

Source

https://github.com/advisories/GHSA-xpfp-f569-q3p2

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-xpfp-f569-q3p2/GHSA-xpfp-f569-q3p2.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-xpfp-f569-q3p2

Aliases

Published

2021-09-22T17:34:49Z

Modified

2024-04-01T19:31:28.765353Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

SQL Injection in Django

Details

Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.orderby SQL injection if orderby is untrusted input from a client of a web application.

References

Affected packages

PyPI / django

Package

Name: django; View open source insights on deps.dev
Purl: pkg:pypi/django

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.2.0

Fixed

3.2.5

Affected versions

3.*

3.2

3.2.1

3.2.2

3.2.3

3.2.4

Ecosystem specific

{
    "affected_functions": [
        "django.db.models.query.QuerySet.order_by"
    ]
}

PyPI / django

Package

Name: django; View open source insights on deps.dev
Purl: pkg:pypi/django

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0.0

Fixed

3.1.13

Affected versions

3.*

3.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.5

3.0.6

3.0.7

3.0.8

3.0.9

3.0.10

3.0.11

3.0.12

3.0.13

3.0.14

3.1a1

3.1b1

3.1rc1

3.1

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

3.1.7

3.1.8

3.1.9

3.1.10

3.1.11

3.1.12

Ecosystem specific

{
    "affected_functions": [
        "django.db.models.query.QuerySet.order_by"
    ]
}