CVE-2019-14234

An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib.postgres.fields.HStoreField, were subject to SQL injection. This could, for example, be exploited via crafted use of "OR 1=1" in a key or index name to return all records, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to the QuerySet.filter() function.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*
cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*

Configuration 3 (hide)

OR cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

History

21 Nov 2024, 04:26

Type Values Removed Values Added
References () http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html - Mailing List, Third Party Advisory () http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html - Mailing List, Third Party Advisory
References () https://docs.djangoproject.com/en/dev/releases/security/ - Vendor Advisory () https://docs.djangoproject.com/en/dev/releases/security/ - Vendor Advisory
References () https://groups.google.com/forum/#%21topic/django-announce/jIoju2-KLDs - () https://groups.google.com/forum/#%21topic/django-announce/jIoju2-KLDs -
References () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/STVX7X7IDWAH5SKE6MBMY3TEI6ZODBTK/ - () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/STVX7X7IDWAH5SKE6MBMY3TEI6ZODBTK/ -
References () https://seclists.org/bugtraq/2019/Aug/15 - Mailing List, Third Party Advisory () https://seclists.org/bugtraq/2019/Aug/15 - Mailing List, Third Party Advisory
References () https://security.gentoo.org/glsa/202004-17 - () https://security.gentoo.org/glsa/202004-17 -
References () https://security.netapp.com/advisory/ntap-20190828-0002/ - () https://security.netapp.com/advisory/ntap-20190828-0002/ -
References () https://www.debian.org/security/2019/dsa-4498 - Third Party Advisory () https://www.debian.org/security/2019/dsa-4498 - Third Party Advisory
References () https://www.djangoproject.com/weblog/2019/aug/01/security-releases/ - Vendor Advisory () https://www.djangoproject.com/weblog/2019/aug/01/security-releases/ - Vendor Advisory

07 Nov 2023, 03:04

Type Values Removed Values Added
References
  • {'url': 'https://groups.google.com/forum/#!topic/django-announce/jIoju2-KLDs', 'name': 'https://groups.google.com/forum/#!topic/django-announce/jIoju2-KLDs', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'MISC'}
  • {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/STVX7X7IDWAH5SKE6MBMY3TEI6ZODBTK/', 'name': 'FEDORA-2019-647f74ce51', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'}
  • () https://groups.google.com/forum/#%21topic/django-announce/jIoju2-KLDs -
  • () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/STVX7X7IDWAH5SKE6MBMY3TEI6ZODBTK/ -

Information

Published : 2019-08-09 13:15

Updated : 2024-11-21 04:26


NVD link : CVE-2019-14234

Mitre link : CVE-2019-14234

CVE.ORG link : CVE-2019-14234


JSON object : View

Products Affected

debian

  • debian_linux

djangoproject

  • django

fedoraproject

  • fedora
CWE
CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')