Name of the Vulnerable Software and Affected Versions Django versions 1.11.x through 1.11.22 Django versions 2.1.x through 2.1.10 Django versions 2.2.x through 2.2.3

Description An issue in Django allows SQL injection due to an error in shallow key transformation. This affects key and index lookups for django.contrib.postgres.fields.JSONField and key lookups for django.contrib.postgres.fields.HStoreField. The issue could be exploited using crafted input, such as "OR 1=1" in a key or index name, to return all records. This can be done by passing a suitably crafted dictionary with dictionary expansion as the **kwargs to the QuerySet.filter() function.

Recommendations For Django versions 1.11.x through 1.11.22, update to version 1.11.23 or later. For Django versions 2.1.x through 2.1.10, update to version 2.1.11 or later. For Django versions 2.2.x through 2.2.3, update to version 2.2.4 or later.