Bug 1187785 - (CVE-2021-35042) VUL-0: CVE-2021-35042: python-Django,python-Django1: Potential SQL injection via unsanitized ``QuerySet.order_by()`` input
VUL-0: CVE-2021-35042: python-Django,python-Django1: Potential SQL injection ...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Alberto Planas Dominguez
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2021-06-28 14:54 UTC by Gianluca Gabrielli
Modified: 2021-07-01 08:15 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Upstream patch 3.1.x (4.91 KB, patch)
2021-06-28 14:56 UTC, Gianluca Gabrielli
Details | Diff
Upstream patch 3.2.x (6.05 KB, patch)
2021-06-28 14:56 UTC, Gianluca Gabrielli
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Gianluca Gabrielli 2021-06-28 14:54:45 UTC
Unsanitized user input passed to ``QuerySet.order_by()`` could bypass 
intended column reference validation in path marked for deprecation resulting in a potential SQL injection even if a deprecation warning is emitted.

As a mitigation the strict column reference validation was restored for the
duration of the deprecation period. This regression appeared in 3.1 as a 
side effect of fixing #31426.

The issue is not present in the main branch as the deprecated path has been

This issue has High severity, according to the Django security policy [1].

Affected versions

* Django 3.2
* Django 3.1


Included with this email are patches implementing the changes described 
above for each affected version of Django. On the release date, these patches 
will be applied to the Django development repository and the following releases 
will be issued along with disclosure of the issues:

* Django 3.2.5
* Django 3.1.13

[1] https://www.djangoproject.com/security/
Comment 3 Gianluca Gabrielli 2021-06-28 14:56:26 UTC
Created attachment 850602 [details]
Upstream patch 3.1.x
Comment 4 Gianluca Gabrielli 2021-06-28 14:56:50 UTC
Created attachment 850603 [details]
Upstream patch 3.2.x
Comment 5 Gianluca Gabrielli 2021-06-28 15:10:34 UTC
Affected package:
 - openSUSE:Factory/python-Django  3.2.4

Please upgrade to 3.2.5 as soon as it gets available.
Comment 8 Christian Almeida de Oliveira 2021-06-29 15:37:53 UTC
Hi @Gianluca
based on the analysis from Keith, from SOC side there is nothing to be done, thus I'm assign it back to Security team.
Comment 10 Christian Almeida de Oliveira 2021-06-30 08:03:06 UTC
Hi Gianluca,

I could not find info to confirm or deny that SOC is the maintainer of python-django in OBS. For the python-django versions that are used by SOC products there is no doubt, however for other versions I'm afraid SOC might not be the maintainer.
I'm still checking, but it might take time to get to a conclusive answer.

Comment 11 Christian Almeida de Oliveira 2021-06-30 08:14:32 UTC
please check with "Alberto Planas Dominguez", he might know as he is the person for devel:languages:python
Comment 14 Gianluca Gabrielli 2021-07-01 08:13:59 UTC
This is now public