ALT-PU-2021-2770-1
Package python3-module-django updated to version 3.2.6-alt1 for branch p10 in task 283535.
Closed vulnerabilities
Published: 2021-07-01
BDU:2021-03557
Уязвимость функции QuerySet.order_by() программной платформы для веб-приложений Django, позволяющая нарушителю выполнить произвольные команды
Severity: CRITICAL (9.8)
Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
Published: 2021-07-02
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2021-35042
Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input from a client of a web application.
Severity: CRITICAL (9.8)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
- https://docs.djangoproject.com/en/3.2/releases/security/
- https://docs.djangoproject.com/en/3.2/releases/security/
- https://groups.google.com/forum/#%21forum/django-announce
- https://groups.google.com/forum/#%21forum/django-announce
- FEDORA-2021-78e501d62a
- FEDORA-2021-78e501d62a
- https://security.netapp.com/advisory/ntap-20210805-0008/
- https://security.netapp.com/advisory/ntap-20210805-0008/
- https://www.djangoproject.com/weblog/2021/jul/01/security-releases/
- https://www.djangoproject.com/weblog/2021/jul/01/security-releases/
- https://www.openwall.com/lists/oss-security/2021/07/02/2
- https://www.openwall.com/lists/oss-security/2021/07/02/2