Django SQL ×¢Èë·ì϶£¨CVE-2021-35042£©

°ä²¼¹¦·ò 2021-07-06

0x00 ·ì϶¸ÅÊö

CVE     ID

CVE-2021-35042

ʱ      ¼ä

2021-07-06

Àà      ÐÍ

SQL×¢Èë

µÈ      ¼¶

¸ßΣ

Ô¶³ÌÀûÓÃ

ÊÇ

Ó°ÏìÁìÓò


¹¥»÷¸´ÔÓ¶È


¿ÉÓÃÐÔ

¸ß

Óû§½»»¥

ÎÞ

ËùÐèȨÏÞ


PoC/EXP

δ¹«¿ª

ÔÚÒ°ÀûÓÃ

·ñ

 

0x01 ·ì϶ÏêÇé

image.png

Django ÊÇ Python ˵»°Çý¶¯µÄÒ»¸ö¿ªÔ´Ä£ÐÍ-ÊÓͼ-½ÚÔìÆ÷£¨MVC£©·ç¸ñµÄ Web ÀûÓ÷¨Ê½¿ò¼Ü¡£

2021Äê07ÔÂ01ÈÕ£¬Django °ä²¼ÁË3.2.5 ºÍ 3.1.13°æ±¾£¬½¨¸´ÁËDjangoÖеÄÒ»¸öSQL×¢Èë·ì϶£¨CVE-2021-35042£©£¬Django½¨ÒéÓû§¾¡¿ìÉý¼¶¡£

ÓÉÓÚ´«µÝ¸øQuerySet.order_by()µÄÓû§ÊäÈëδ¾­´¦Ö㬹¥»÷ÕßÄܹ»ÀûÓÃÕâÈƹýÏóÕ÷ΪÆúÓõÄõ辶ÖеÄÔ¤ÆÚÁÐÒýÓÃÑéÖ¤£¬´Ó¶øµ¼ÖÂSQL×¢Èë¡£

 

Ó°ÏìÁìÓò

Django  3.2

Django  3.1

 

0x02 ´ëÖý¨Òé

 Ä¿Ç°´Ë·ì϶ÒѾ­½¨¸´£¬½¨ÒéʵʱÉý¼¶ÖÁDjango 3.2.5 »ò 3.1.13¡£

Django 3.2.5ÏÂÔØÁ´½Ó£º

https://www.djangoproject.com/m/releases/3.2/Django-3.2.5.tar.gz

 

Django 3.1.13ÏÂÔØÁ´½Ó£º

https://www.djangoproject.com/m/releases/3.1/Django-3.1.13.tar.gz

 

0x03 ²Î¿¼Á´½Ó

https://www.djangoproject.com/weblog/2021/jul/01/security-releases/

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35042

https://nvd.nist.gov/vuln/detail/CVE-2021-35042

 

0x04 ¹¦·òÏß

2021-07-01  Django°ä²¼¸üв¼¸æ

2021-07-06  VSRC°ä²¼°²È«¹«¸æ

0x05 ¸½Â¼

CVSSÆÀ·Ö³ß¶È¹ÙÍø£ºhttp://www.first.org/cvss/

image.png