CVE-2019-14234

Name of the Vulnerable Software and Affected Versions Django versions 1.11.x through 1.11.22 Django versions 2.1.x through 2.1.10 Django versions 2.2.x through 2.2.3

Description The issue is related to an error in shallow key transformation, affecting key and index lookups for django.contrib.postgres.fields.JSONField and key lookups for django.contrib.postgres.fields.HStoreField. This could lead to SQL injection, potentially allowing a remote attacker to compromise data integrity, gain unauthorized access to protected information, and cause a denial of service. For example, an attacker could exploit this via crafted use of "OR 1=1" in a key or index name to return all records, using a suitably crafted dictionary with dictionary expansion as the **kwargs passed to the QuerySet.filter() function.

Recommendations For Django versions 1.11.x through 1.11.22, update to version 1.11.23 or later. For Django versions 2.1.x through 2.1.10, update to version 2.1.11 or later. For Django versions 2.2.x through 2.2.3, update to version 2.2.4 or later.