QuerySet.order_by SQL Injection in Django 3.1.x and 3.2.x

QuerySet.order_by SQL Injection in Django 3.1.x and 3.2.x

CVE-2021-35042 · CRITICAL Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input from a client of a web application.

Learn more about our Cis Benchmark Audit For Microsoft Sql Server.