oss-sec mailing list archives
Django: CVE-2021-35042: Potential SQL injection via unsanitized QuerySet.order_by() input
From: Mariusz Felisiak <felisiak.mariusz () gmail com>
Date: Thu, 1 Jul 2021 10:08:07 +0200
https://www.djangoproject.com/weblog/2021/jul/01/security-releases/ In accordance with `our security release policy<https://docs.djangoproject.com/en/dev/internals/security/>`_, the Django team
is issuing `Django 3.2.5 <https://docs.djangoproject.com/en/dev/releases/3.2.5/>`_ and `Django 3.1.13 <https://docs.djangoproject.com/en/dev/releases/3.1.13/>`_.These releases address the security issue with severity "high" detailed below. We encourage all users of Django to upgrade as soon as possible.
CVE-2021-35042: Potential SQL injection via unsanitized ``QuerySet.order_by()`` input
=====================================================================================Unsanitized user input passed to ``QuerySet.order_by()`` could bypass intended
column reference validation in path marked for deprecation resulting in a potential SQL injection even if a deprecation warning is emitted. As a mitigation the strict column reference validation was restored for theduration of the deprecation period. This regression appeared in 3.1 as a side
effect of fixing `#31426 <https://code.djangoproject.com/ticket/31426>`_. The issue is not present in the main branch as the deprecated path has been removed. Thanks to Joel Saunders for the report. Affected supported versions =========================== * Django 3.2 * Django 3.1 Resolution ========== Patches to resolve the issue have been applied to Django's 3.2 and 3.1 release branches. The patches may be obtained from the following changesets:* On the `3.2 release branch <https://github.com/django/django/commit/a34a5f724c5d5adb2109374ba3989ebb7b11f81f>`__ * On the `3.1 release branch <https://github.com/django/django/commit/0bd57a879a0d54920bb9038a732645fb917040e9>`__
The following releases have been issued:* Django 3.2.5 (`download Django 3.2.5 <https://www.djangoproject.com/m/releases/3.2/Django-3.2.5.tar.gz>`_ | `3.2.5 checksums <https://www.djangoproject.com/m/pgp/Django-3.2.5.checksum.txt>`_) * Django 3.1.13 (`download Django 3.1.13 <https://www.djangoproject.com/m/releases/3.1/Django-3.1.13.tar.gz>`_ | `3.1.13 checksums <https://www.djangoproject.com/m/pgp/Django-3.1.13.checksum.txt>`_)
The PGP key ID used for this release is Mariusz Felisiak: `2EF56372BA48CD1B <https://github.com/felixxm.gpg>`_.
General notes regarding security reporting ========================================== As always, we ask that potential security issues be reported via private email to ``security () djangoproject com``, and not via Django's Trac instance or the django-developers list. Please see `our security policies <https://www.djangoproject.com/security/>`_ for further information.
Current thread:
- Django: CVE-2021-35042: Potential SQL injection via unsanitized QuerySet.order_by() input Mariusz Felisiak (Jul 01)