DEBIAN-CVE-2019-14234

DEBIAN-CVE-2019-14234 PUBLISHED CVSS 9.800000190734863 CRITICAL

An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib.postgres.fields.HStoreField, were subject to SQL injection. This could, for example, be exploited via crafted use of "OR 1=1" in a key or index name to return all records, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to the QuerySet.filter() function.

Risk Scores

CVSS v3.0

9.800000190734863

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products

Vendor	Product	Versions
Debian:14	python-django	0, 0, 0
Debian:13	python-django	0, 0, 0
Debian:12	python-django	0, 0, 0
Debian:11	python-django	0, 0, 0

Timeline

Aug 9, 2019 CVE Published
Apr 28, 2026 CVE Updated

References

https://security-tracker.debian.org/tracker/CVE-2019-14234 advisory

Open in Interactive Console →