cbcvebase.
CVE-2019-14234
published 2019-08-09

CVE-2019-14234: An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and…

PriorityP268critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
47.69%
98.7th percentile
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib.postgres.fields.HStoreField, were subject to SQL injection. This could, for example, be exploited via crafted use of "OR 1=1" in a key or index name to return all records, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to the QuerySet.filter() function.

Affected

10 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
debianpython-django< python-django 2:2.2.4-1 (bookworm)python-django 2:2.2.4-1 (bookworm)
djangoprojectdjango>= 1.11 < 1.11.231.11.23
djangoprojectdjango>= 1.11a1 < 1.11.231.11.23
djangoprojectdjango>= 2.1 < 2.1.112.1.11
djangoprojectdjango>= 2.1a1 < 2.1.112.1.11
djangoprojectdjango>= 2.2 < 2.2.42.2.4
djangoprojectdjango>= 2.2a1 < 2.2.42.2.4
fedoraprojectfedora

Detection & IOCsextracted from sources · hover to see the quote

commandQuerySet.filter(**{"OR 1=1": ...})
  • Monitor Django application logs for SQL injection patterns (e.g., 'OR 1=1') appearing in JSONField or HStoreField key/index lookup parameters passed to QuerySet.filter()
  • Patch commits for Django master, 1.11, 2.1, and 2.2 branches are available; verify patched versions 1.11.23+, 2.1.11+, 2.2.4+ are deployed
  • ·Vulnerability only affects Django deployments using django.contrib.postgres.fields.JSONField or django.contrib.postgres.fields.HStoreField with user-controlled key/index names in QuerySet.filter() kwargs; applications not using these PostgreSQL-specific fields are not affected
  • ·Red Hat OpenStack Platform versions 9 and 10 do not contain the code for JSONFields, limiting the attack surface on those platforms
  • ·CentOS 8 OpenStack Train and Ussuri releases are not affected; only CentOS 7 deployments (Queens to Train) contain the vulnerable code

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.