CVE-2019-14234
published 2019-08-09CVE-2019-14234: An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and…
PriorityP268critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
47.69%
98.7th percentile
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib.postgres.fields.HStoreField, were subject to SQL injection. This could, for example, be exploited via crafted use of "OR 1=1" in a key or index name to return all records, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to the QuerySet.filter() function.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | python-django | < python-django 2:2.2.4-1 (bookworm) | python-django 2:2.2.4-1 (bookworm) |
| djangoproject | django | >= 1.11 < 1.11.23 | 1.11.23 |
| djangoproject | django | >= 1.11a1 < 1.11.23 | 1.11.23 |
| djangoproject | django | >= 2.1 < 2.1.11 | 2.1.11 |
| djangoproject | django | >= 2.1a1 < 2.1.11 | 2.1.11 |
| djangoproject | django | >= 2.2 < 2.2.4 | 2.2.4 |
| djangoproject | django | >= 2.2a1 < 2.2.4 | 2.2.4 |
| fedoraproject | fedora | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor Django application logs for SQL injection patterns (e.g., 'OR 1=1') appearing in JSONField or HStoreField key/index lookup parameters passed to QuerySet.filter() ↗
- →Patch commits for Django master, 1.11, 2.1, and 2.2 branches are available; verify patched versions 1.11.23+, 2.1.11+, 2.2.4+ are deployed ↗
- ·Vulnerability only affects Django deployments using django.contrib.postgres.fields.JSONField or django.contrib.postgres.fields.HStoreField with user-controlled key/index names in QuerySet.filter() kwargs; applications not using these PostgreSQL-specific fields are not affected ↗
- ·Red Hat OpenStack Platform versions 9 and 10 do not contain the code for JSONFields, limiting the attack surface on those platforms ↗
- ·CentOS 8 OpenStack Train and Ussuri releases are not affected; only CentOS 7 deployments (Queens to Train) contain the vulnerable code ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
SQL Injection in Django
osv·2019-08-16
CVE-2019-14234 [CRITICAL] SQL Injection in Django
SQL Injection in Django
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib.postgres.fields.HStoreField, were subject to SQL injection. This could, for example, be exploited via crafted use of "OR 1=1" in a key or index name to return all records, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to the QuerySet.filter() function.
GHSA
SQL Injection in Django
ghsa·2019-08-16
CVE-2019-14234 [CRITICAL] CWE-89 SQL Injection in Django
SQL Injection in Django
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib.postgres.fields.HStoreField, were subject to SQL injection. This could, for example, be exploited via crafted use of "OR 1=1" in a key or index name to return all records, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to the QuerySet.filter() function.
OSV
CVE-2019-14234: An issue was discovered in Django 1
osv·2019-08-09·CVSS 9.8
CVE-2019-14234 [CRITICAL] CVE-2019-14234: An issue was discovered in Django 1
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib.postgres.fields.HStoreField, were subject to SQL injection. This could, for example, be exploited via crafted use of "OR 1=1" in a key or index name to return all records, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to the QuerySet.filter() function.
OSV
python-django vulnerabilities
osv·2019-08-01·CVSS 7.5
CVE-2019-14232 [HIGH] python-django vulnerabilities
python-django vulnerabilities
It was discovered that Django incorrectly handled the Truncator function. A
remote attacker could possibly use this issue to cause Django to consume
resources, leading to a denial of service. (CVE-2019-14232)
It was discovered that Django incorrectly handled the strip_tags function.
A remote attacker could possibly use this issue to cause Django to consume
resources, leading to a denial of service. (CVE-2019-14233)
It was discovered that Django incorrectly handled certain lookups in the
PostgreSQL support. A remote attacker could possibly use this issue to
perform SQL injection attacks. (CVE-2019-14234)
It was discovered that Django incorrectly handled certain invalid UTF-8
octet sequences. A remote attacker could possibly use this issue to cause
Django to
Red Hat
Django: SQL injection possibility in key and index lookups for JSONField/HStoreField
vendor_redhat·2019-08-01·CVSS 9.8
CVE-2019-14234 [CRITICAL] CWE-20 Django: SQL injection possibility in key and index lookups for JSONField/HStoreField
Django: SQL injection possibility in key and index lookups for JSONField/HStoreField
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib.postgres.fields.HStoreField, were subject to SQL injection. This could, for example, be exploited via crafted use of "OR 1=1" in a key or index name to return all records, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to the QuerySet.filter() function.
Statement: This issue affects the versions of python-django as shipped with Red Hat Gluster Storage 3, Red Hat Ceph Storage 2 and 3, as it contains the vulnerable code
Ubuntu
Django vulnerabilities
vendor_ubuntu·2019-08-01·CVSS 7.5
CVE-2019-14232 [HIGH] Django vulnerabilities
Title: Django vulnerabilities
Summary: Several security issues were fixed in Django.
It was discovered that Django incorrectly handled the Truncator function. A
remote attacker could possibly use this issue to cause Django to consume
resources, leading to a denial of service. (CVE-2019-14232)
It was discovered that Django incorrectly handled the strip_tags function.
A remote attacker could possibly use this issue to cause Django to consume
resources, leading to a denial of service. (CVE-2019-14233)
It was discovered that Django incorrectly handled certain lookups in the
PostgreSQL support. A remote attacker could possibly use this issue to
perform SQL injection attacks. (CVE-2019-14234)
It was discovered that Django incorrectly handled certain invalid UTF-8
octet sequences. A remote a
Debian
CVE-2019-14234: python-django - An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, an...
vendor_debian·2019·CVSS 9.8
CVE-2019-14234 [CRITICAL] CVE-2019-14234: python-django - An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, an...
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib.postgres.fields.HStoreField, were subject to SQL injection. This could, for example, be exploited via crafted use of "OR 1=1" in a key or index name to return all records, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to the QuerySet.filter() function.
Scope: local
bookworm: resolved (fixed in 2:2.2.4-1)
bullseye: resolved (fixed in 2:2.2.4-1)
forky: resolved (fixed in 2:2.2.4-1)
sid: resolved (fixed in 2:2.2.4-1)
trixie: resolved (fixed in 2:2.2.4-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2019-14234 python-django: Django: SQL injection possibility in key and index lookups for JSONField/HStoreField [openstack-rdo]
bugzilla·2019-08-29·CVSS 9.8
CVE-2019-14234 [CRITICAL] CVE-2019-14234 python-django: Django: SQL injection possibility in key and index lookups for JSONField/HStoreField [openstack-rdo]
CVE-2019-14234 python-django: Django: SQL injection possibility in key and index lookups for JSONField/HStoreField [openstack-rdo]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of openstack-rdo.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit messag
Bugzilla
CVE-2019-14234 python-django: Django: SQL injection possibility in key and index lookups for JSONField/HStoreField [epel-7]
bugzilla·2019-08-01·CVSS 9.8
CVE-2019-14234 [CRITICAL] CVE-2019-14234 python-django: Django: SQL injection possibility in key and index lookups for JSONField/HStoreField [epel-7]
CVE-2019-14234 python-django: Django: SQL injection possibility in key and index lookups for JSONField/HStoreField [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussio
Bugzilla
CVE-2019-14234 python-django: Django: SQL injection possibility in key and index lookups for JSONField/HStoreField [fedora-29]
bugzilla·2019-08-01·CVSS 9.8
CVE-2019-14234 [CRITICAL] CVE-2019-14234 python-django: Django: SQL injection possibility in key and index lookups for JSONField/HStoreField [fedora-29]
CVE-2019-14234 python-django: Django: SQL injection possibility in key and index lookups for JSONField/HStoreField [fedora-29]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-29.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Dis
Bugzilla
CVE-2019-14234 python-django: Django: SQL injection possibility in key and index lookups for JSONField/HStoreField [fedora-30]
bugzilla·2019-08-01·CVSS 9.8
CVE-2019-14234 [CRITICAL] CVE-2019-14234 python-django: Django: SQL injection possibility in key and index lookups for JSONField/HStoreField [fedora-30]
CVE-2019-14234 python-django: Django: SQL injection possibility in key and index lookups for JSONField/HStoreField [fedora-30]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-30.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Dis
Bugzilla
CVE-2019-14234 python-django16: Django: SQL injection possibility in key and index lookups for JSONField/HStoreField [epel-7]
bugzilla·2019-08-01·CVSS 9.8
CVE-2019-14234 [CRITICAL] CVE-2019-14234 python-django16: Django: SQL injection possibility in key and index lookups for JSONField/HStoreField [epel-7]
CVE-2019-14234 python-django16: Django: SQL injection possibility in key and index lookups for JSONField/HStoreField [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discuss
Bugzilla
CVE-2019-14234 Django: SQL injection possibility in key and index lookups for JSONField/HStoreField
bugzilla·2019-07-30·CVSS 9.8
CVE-2019-14234 [CRITICAL] CVE-2019-14234 Django: SQL injection possibility in key and index lookups for JSONField/HStoreField
CVE-2019-14234 Django: SQL injection possibility in key and index lookups for JSONField/HStoreField
:lookup:Key and index lookups for :class:~django.contrib.postgres.fields.JSONField and :lookup:key lookups for :class:~django.contrib.postgres.fields.HStoreField were subject to SQL injection, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to QuerySet.filter().
Discussion:
Created python-django tracking bugs for this issue:
Affects: epel-7 [bug 1735776]
Affects: fedora-29 [bug 1735779]
Affects: fedora-30 [bug 1735780]
Created python-django16 tracking bugs for this issue:
Affects: epel-7 [bug 1735777]
---
External References:
https://www.djangoproject.com/weblog/2019/aug/01/security-releases/
---
Upstream Patches for master branch, 1.11, 2.1
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.htmlhttps://docs.djangoproject.com/en/dev/releases/security/https://groups.google.com/forum/#%21topic/django-announce/jIoju2-KLDshttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/STVX7X7IDWAH5SKE6MBMY3TEI6ZODBTK/https://seclists.org/bugtraq/2019/Aug/15https://security.gentoo.org/glsa/202004-17https://security.netapp.com/advisory/ntap-20190828-0002/https://www.debian.org/security/2019/dsa-4498https://www.djangoproject.com/weblog/2019/aug/01/security-releases/http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.htmlhttps://docs.djangoproject.com/en/dev/releases/security/https://groups.google.com/forum/#%21topic/django-announce/jIoju2-KLDshttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/STVX7X7IDWAH5SKE6MBMY3TEI6ZODBTK/https://seclists.org/bugtraq/2019/Aug/15https://security.gentoo.org/glsa/202004-17https://security.netapp.com/advisory/ntap-20190828-0002/https://www.debian.org/security/2019/dsa-4498https://www.djangoproject.com/weblog/2019/aug/01/security-releases/
2019-08-09
Published