QwikSec

Security Database

CVE

CWE

Training

CVE-2019-14234

Published: Aug 9, 2019

Modified: Aug 5, 2024

PUBLISHED

Description

An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib.postgres.fields.HStoreField, were subject to SQL injection. This could, for example, be exploited via crafted use of "OR 1=1" in a key or index name to return all records, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to the QuerySet.filter() function.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://docs.djangoproject.com/en/dev/releases/security/

x_refsource_MISC

https://groups.google.com/forum/#%21topic/django-announce/jIoju2-KLDs

x_refsource_MISC

https://www.djangoproject.com/weblog/2019/aug/01/security-releases/

x_refsource_CONFIRM

20190812 [SECURITY] [DSA 4498-1] python-django security update

mailing-list

x_refsource_BUGTRAQ

vendor-advisory

x_refsource_DEBIAN

openSUSE-SU-2019:1872

vendor-advisory

x_refsource_SUSE

FEDORA-2019-647f74ce51

vendor-advisory

x_refsource_FEDORA

https://security.netapp.com/advisory/ntap-20190828-0002/

x_refsource_CONFIRM

vendor-advisory

x_refsource_GENTOO

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.