GHSA-xpfp-f569-q3p2

Source

https://github.com/advisories/GHSA-xpfp-f569-q3p2

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-xpfp-f569-q3p2/GHSA-xpfp-f569-q3p2.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-xpfp-f569-q3p2

Aliases

Published

2021-09-22T17:34:49Z

Modified

2024-09-20T15:22:59.986161Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

SQL Injection in Django

Details

Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.orderby SQL injection if orderby is untrusted input from a client of a web application.

References

Affected packages

PyPI / django

Package

Name: django; View open source insights on deps.dev
Purl: pkg:pypi/django

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.2a1

Fixed

3.2.5

Affected versions

3.*

3.2a1

3.2b1

3.2rc1

3.2

3.2.1

3.2.2

3.2.3

3.2.4

Ecosystem specific

{
    "affected_functions": [
        "django.db.models.query.QuerySet.order_by"
    ]
}

PyPI / django

Package

Name: django; View open source insights on deps.dev
Purl: pkg:pypi/django

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0a1

Fixed

3.1.13

Affected versions

3.*

3.0a1

3.0b1

3.0rc1

3.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.5

3.0.6

3.0.7

3.0.8

3.0.9

3.0.10

3.0.11

3.0.12

3.0.13

3.0.14

3.1a1

3.1b1

3.1rc1

3.1

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

3.1.7

3.1.8

3.1.9

3.1.10

3.1.11

3.1.12

Ecosystem specific

{
    "affected_functions": [
        "django.db.models.query.QuerySet.order_by"
    ]
}