CVE-2019-14234 — SQL Injection in Django
Severity
9.8CRITICALNVD
EPSS
19.1%
top 4.65%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedAug 9
Latest updateAug 29
Description
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib.postgres.fields.HStoreField, were subject to SQL injection. This could, for example, be exploited via crafted use of "OR 1=1" in a key or index name to return all records, using a suitably crafted dictionary, with dictionary expansion, as the **kwa…
CVSS vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9
Affected Packages2 packages
Also affects: Debian Linux 10.0, 9.0, Fedora 30
🔴Vulnerability Details
5📋Vendor Advisories
3💬Community
6Bugzilla▶
CVE-2019-14234 python-django: Django: SQL injection possibility in key and index lookups for JSONField/HStoreField [openstack-rdo]↗2019-08-29
Bugzilla▶
CVE-2019-14234 python-django: Django: SQL injection possibility in key and index lookups for JSONField/HStoreField [epel-7]↗2019-08-01
Bugzilla▶
CVE-2019-14234 python-django: Django: SQL injection possibility in key and index lookups for JSONField/HStoreField [fedora-29]↗2019-08-01
Bugzilla▶
CVE-2019-14234 python-django: Django: SQL injection possibility in key and index lookups for JSONField/HStoreField [fedora-30]↗2019-08-01
Bugzilla▶
CVE-2019-14234 python-django16: Django: SQL injection possibility in key and index lookups for JSONField/HStoreField [epel-7]↗2019-08-01