Home > Vulnerability Database > CVE-2019-14234

Mend.io Vulnerability Database

CVE-2019-14234

Good to know:

Date: August 9, 2019

An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib.postgres.fields.HStoreField, were subject to SQL injection. This could, for example, be exploited via crafted use of "OR 1=1" in a key or index name to return all records, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to the QuerySet.filter() function.

Language: Python

Severity Score

9.8

Related Resources (23)

Url: https://github.com/django/django/commit/ed682a24fca774818542757651bfba576c3fc3ef

Url: https://www.djangoproject.com/weblog/2019/aug/01/security-releases

Url: https://seclists.org/bugtraq/2019/Aug/15

Url: https://groups.google.com/forum/#%21topic/django-announce/jIoju2-KLDs

Url: http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html

Url: https://security.netapp.com/advisory/ntap-20190828-0002

Url: https://docs.djangoproject.com/en/dev/releases/security/

Url: https://docs.djangoproject.com/en/dev/releases/security

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/STVX7X7IDWAH5SKE6MBMY3TEI6ZODBTK/

Url: https://nvd.nist.gov/vuln/detail/CVE-2019-14234

Url: https://groups.google.com/forum/#!topic/django-announce/jIoju2-KLDs

Url: https://github.com/django/django/commit/4f5b58f5cd3c57fee9972ab074f8dc6895d8f387

Url: https://security.netapp.com/advisory/ntap-20190828-0002/

Url: https://github.com/django/django

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/STVX7X7IDWAH5SKE6MBMY3TEI6ZODBTK/

Url: https://www.djangoproject.com/weblog/2019/aug/01/security-releases/

Url: https://www.debian.org/security/2019/dsa-4498

Url: https://github.com/django/django/commit/f74b3ae3628c26e1b4f8db3d13a91d52a833a975

Url: https://github.com/advisories/GHSA-6r97-cj55-9hrq

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/STVX7X7IDWAH5SKE6MBMY3TEI6ZODBTK

Url: https://security.gentoo.org/glsa/202004-17

Url: https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2019-13.yaml

Url: https://www.mend.io/vulnerability-database/CVE-2019-14234

Severity Score

9.8

Weakness Type (CWE)

SQL Injection

CWE-89

Top Fix

Upgrade Version

Upgrade to version 2.2.4, 2.1.11, 1.11.23

Learn More

CVSS v3.1

Base Score:	9.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

CVSS v2

Base Score:	7.5
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	PARTIAL
Availability (A):	PARTIAL
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2019-14234

Good to know:

Date: August 9, 2019

Language: Python

Severity Score

Related Resources (23)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?