CVE-2021-35042 — AI Deep Analysis Summary

🚨 **Essence**: Django's `QuerySet.order_by()` allows SQL injection via unsanitized user input. 📉 **Consequences**: Attackers bypass column validation in deprecated paths, leading to potential data theft or manipulation.

🛡️ **Root Cause**: CWE-89 (SQL Injection). The framework fails to validate user-controlled input passed to `order_by()`, allowing raw SQL references to slip through.

📦 **Affected**: Django versions **3.1.x (up to 3.1.13)** and **3.2.x (up to 3.2.5)**. Python-based Web Application Frameworks using these versions.

💀 **Hacker Power**: Full SQL injection capabilities. Attackers can read, modify, or delete database records. They can potentially escalate privileges by executing arbitrary SQL commands.

⚡ **Threshold**: **LOW**. No authentication required. Exploitation is as simple as injecting parameters into the URL query string (e.g., `?order_by=...`).

🔓 **Public Exp?**: **YES**. Multiple PoCs exist on GitHub (e.g., YouGina, mrlihd). Wild exploitation is possible via simple URL manipulation.

🔍 **Self-Check**: Scan for Django versions < 3.1.13 or < 3.2.5. Look for endpoints using `order_by` with user-controllable parameters. Test with SQL payloads in URL params.

✅ **Fixed?**: **YES**. Official security releases were published on July 1, 2021. Patched in Django 3.1.14+ and 3.2.6+.

🛑 **No Patch?**: **Workaround**: Strictly whitelist allowed column names for `order_by()`. Never pass raw user input directly to the `order_by()` function.

🔥 **Urgency**: **HIGH**. Critical SQL injection with easy exploitation. Immediate patching or mitigation is required to prevent data breaches.