{"id":"CVE-2021-35042","details":"Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input from a client of a web application.","aliases":["BIT-django-2021-35042","GHSA-xpfp-f569-q3p2","PYSEC-2021-109"],"modified":"2026-04-16T04:38:22.596575617Z","published":"2021-07-02T10:15:07.653Z","related":["openSUSE-SU-2024:11205-1","openSUSE-SU-2024:13887-1","openSUSE-SU-2024:14208-1","openSUSE-SU-2026:10005-1"],"references":[{"type":"WEB","url":"https://groups.google.com/forum/#%21forum/django-announce"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SS6NJTBYWOX6J7G4U3LUOILARJKWPQ5Y/"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20210805-0008/"},{"type":"FIX","url":"https://docs.djangoproject.com/en/3.2/releases/security/"},{"type":"FIX","url":"https://www.djangoproject.com/weblog/2021/jul/01/security-releases/"},{"type":"FIX","url":"https://www.openwall.com/lists/oss-security/2021/07/02/2"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/django/django","events":[{"introduced":"0b8a0296bfd30748f08021834e95cdae241686e8"},{"fixed":"43873b9c92cfe68a082c7feda86f6fb95a3e902c"},{"introduced":"3591e1c1acbd7c13174275367c3fdf012cb0413b"},{"fixed":"0eca7a66239ef646f59fe2af643199275dae7a35"}],"database_specific":{"versions":[{"introduced":"3.1"},{"fixed":"3.1.13"},{"introduced":"3.2"},{"fixed":"3.2.5"}]}}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-35042.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"34"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}