1187785 – (CVE-2021-35042) VUL-0: CVE-2021-35042: python-Django,python-Django1: Potential SQL injection via unsanitized ``QuerySet.order_by()`` input

Bug 1187785 (CVE-2021-35042) - VUL-0: CVE-2021-35042: python-Django,python-Django1: Potential SQL injection via unsanitized ``QuerySet.order_by()`` input

Summary: VUL-0: CVE-2021-35042: python-Django,python-Django1: Potential SQL injection ...

Status:	RESOLVED FIXED

Alias:	CVE-2021-35042

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Alberto Planas Dominguez
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/303032/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2021-06-28 14:54 UTC by Gianluca Gabrielli
Modified:	2024-04-26 13:44 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Upstream patch 3.1.x (4.91 KB, patch) 2021-06-28 14:56 UTC, Gianluca Gabrielli	Details \| Diff
Upstream patch 3.2.x (6.05 KB, patch) 2021-06-28 14:56 UTC, Gianluca Gabrielli	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Gianluca Gabrielli 2021-06-28 14:54:45 UTC

Unsanitized user input passed to ``QuerySet.order_by()`` could bypass 
intended column reference validation in path marked for deprecation resulting in a potential SQL injection even if a deprecation warning is emitted.

As a mitigation the strict column reference validation was restored for the
duration of the deprecation period. This regression appeared in 3.1 as a 
side effect of fixing #31426.

The issue is not present in the main branch as the deprecated path has been
removed.

This issue has High severity, according to the Django security policy [1].

Affected versions
=================

* Django 3.2
* Django 3.1

Resolution
==========

Included with this email are patches implementing the changes described 
above for each affected version of Django. On the release date, these patches 
will be applied to the Django development repository and the following releases 
will be issued along with disclosure of the issues:

* Django 3.2.5
* Django 3.1.13

[1] https://www.djangoproject.com/security/

Comment 3 Gianluca Gabrielli 2021-06-28 14:56:26 UTC

Created attachment 850602 [details]
Upstream patch 3.1.x

Comment 4 Gianluca Gabrielli 2021-06-28 14:56:50 UTC

Created attachment 850603 [details]
Upstream patch 3.2.x

Comment 5 Gianluca Gabrielli 2021-06-28 15:10:34 UTC

Affected package:
 - openSUSE:Factory/python-Django  3.2.4

Please upgrade to 3.2.5 as soon as it gets available.

Comment 8 Christian Almeida de Oliveira 2021-06-29 15:37:53 UTC

Hi @Gianluca
based on the analysis from Keith, from SOC side there is nothing to be done, thus I'm assign it back to Security team.

Comment 10 Christian Almeida de Oliveira 2021-06-30 08:03:06 UTC

Hi Gianluca,

I could not find info to confirm or deny that SOC is the maintainer of python-django in OBS. For the python-django versions that are used by SOC products there is no doubt, however for other versions I'm afraid SOC might not be the maintainer.
I'm still checking, but it might take time to get to a conclusive answer.

Cheers,
Christian

Comment 11 Christian Almeida de Oliveira 2021-06-30 08:14:32 UTC

please check with "Alberto Planas Dominguez", he might know as he is the person for devel:languages:python

Comment 14 Gianluca Gabrielli 2021-07-01 08:13:59 UTC

This is now public

Comment 19 Marcus Meissner 2024-04-26 13:44:57 UTC

done