CVE-2019-14234

An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib.postgres.fields.HStoreField, were subject to SQL injection. This could, for example, be exploited via crafted use of "OR 1=1" in a key or index name to return all records, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to the QuerySet.filter() function.
SQL Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 95%
VendorProductVersion
djangoprojectdjango
1.11 ≤
𝑥
< 1.11.23
djangoprojectdjango
2.1 ≤
𝑥
< 2.1.11
djangoprojectdjango
2.2 ≤
𝑥
< 2.2.4
debiandebian_linux
9.0
debiandebian_linux
10.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
python-django
bullseye
2:2.2.28-1~deb11u2
fixed
bullseye (security)
2:2.2.28-1~deb11u2
fixed
jessie
not-affected
bookworm
3:3.2.19-1+deb12u1
fixed
bookworm (security)
3:3.2.19-1+deb12u1
fixed
sid
3:4.2.16-1
fixed
trixie
3:4.2.16-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
python-django
noble
Fixed 1:1.11.22-1ubuntu1
released
mantic
Fixed 1:1.11.22-1ubuntu1
released
lunar
Fixed 1:1.11.22-1ubuntu1
released
kinetic
Fixed 1:1.11.22-1ubuntu1
released
jammy
Fixed 1:1.11.22-1ubuntu1
released
focal
Fixed 1:1.11.22-1ubuntu1
released
disco
Fixed 1:1.11.20-1ubuntu0.2
released
bionic
Fixed 1:1.11.11-1ubuntu1.5
released
xenial
Fixed 1.8.7-1ubuntu5.10
released
trusty
needed
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html
https://docs.djangoproject.com/en/dev/releases/security/
https://groups.google.com/forum/#%21topic/django-announce/jIoju2-KLDs
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/STVX7X7IDWAH5SKE6MBMY3TEI6ZODBTK/
https://seclists.org/bugtraq/2019/Aug/15
https://security.gentoo.org/glsa/202004-17
https://security.netapp.com/advisory/ntap-20190828-0002/
https://www.debian.org/security/2019/dsa-4498
https://www.djangoproject.com/weblog/2019/aug/01/security-releases/
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html
https://docs.djangoproject.com/en/dev/releases/security/
https://groups.google.com/forum/#%21topic/django-announce/jIoju2-KLDs
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/STVX7X7IDWAH5SKE6MBMY3TEI6ZODBTK/
https://seclists.org/bugtraq/2019/Aug/15
https://security.gentoo.org/glsa/202004-17
https://security.netapp.com/advisory/ntap-20190828-0002/
https://www.debian.org/security/2019/dsa-4498
https://www.djangoproject.com/weblog/2019/aug/01/security-releases/