CVE-2019-14234

high-risk

Published 2019-08-09

An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib.postgres.fields.HStoreField, were subject to SQL injection. This could, for example, be exploited via crafted use of "OR 1=1" in a key or index name to return all records, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to the QuerySet.filter() function.

Do I need to act?

19.1% chance of exploitation in next 30 days

EPSS score — higher than 81% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Fix available

Upgrade to: 974897759e9afc4cc56fb87e12319fa9697e93c9, ff9dcc0867eba90e9ab1b07a4b3eb79928717918, 8687fbe034ac5eec20e0948b98eb8a2f0b1431a1

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (4)

Django

Fedora

Debian Linux

Affected Vendors

Debian Fedoraproject Djangoproject

References (18)

Mailing List http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html

Vendor Advisory https://docs.djangoproject.com/en/dev/releases/security/

https://groups.google.com/forum/#%21topic/django-announce/jIoju2-KLDs

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...

Mailing List https://seclists.org/bugtraq/2019/Aug/15

https://security.gentoo.org/glsa/202004-17

https://security.netapp.com/advisory/ntap-20190828-0002/

Third Party Advisory https://www.debian.org/security/2019/dsa-4498

Vendor Advisory https://www.djangoproject.com/weblog/2019/aug/01/security-releases/