Home

CVE-2019-14234

Description

An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib.postgres.fields.HStoreField, were subject to SQL injection. This could, for example, be exploited via crafted use of OR 1=1 in a key or index name to return all records, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to the QuerySet.filter() function.

Risk Information

Base Score
9.8
MODERATE
Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
Exploitation Probability
19.114

Associated Vulnerability

VulnerabilityOS Platform
Vulnerabilities CVE-2019-14232,CVE-2019-14233,CVE-2019-14234,CVE-2019-14235 are fixed in Python-django 1.11.23Windows
Vulnerabilities CVE-2019-14232,CVE-2019-14233,CVE-2019-14234,CVE-2019-14235 are fixed in Python-django 2.1.11Windows
Vulnerabilities CVE-2019-14232,CVE-2019-14233,CVE-2019-14234,CVE-2019-14235 are fixed in Python-django 2.2.4Windows
High-level Python web development framework (USN-4084-1) python-django_1.8.7-1ubuntu5.10_all.debLinux
High-level Python web development framework (USN-4084-1) python-django_1.11.20-1ubuntu0.2_all.debLinux
High-level Python web development framework (USN-4084-1) python3-django_1.8.7-1ubuntu5.10_all.debLinux
High-level Python web development framework (USN-4084-1) python3-django_1.11.20-1ubuntu0.2_all.debLinux
python-django security update(DSA-4498-1) python-django_1.10.7-2+deb9u6_all.debLinux
python-django security update(DSA-4498-1) python-django_1.11.23-1~deb10u1_all.debLinux
Vulnerabilities CVE-2019-14232,CVE-2019-14233,CVE-2019-14234,CVE-2019-14235 are fixed in Python-django for linux 1.11.23Linux
Vulnerabilities CVE-2019-14232,CVE-2019-14233,CVE-2019-14234,CVE-2019-14235 are fixed in Python-django for linux 2.1.11Linux
Vulnerabilities CVE-2019-14232,CVE-2019-14233,CVE-2019-14234,CVE-2019-14235 are fixed in Python-django for linux 2.2.4Linux

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234