CVE-2019-14234: Django JSONField/HstoreField SQL Injection Vulnerability Alert
Recently, Django officially released a security bulletin to announce three vulnerability. The high-risk vulnerability is CVE-2019-14234, SQL injection possibility in key and index lookups for JSONField/HStoreField.
A remote attacker could send a well-crafted dictionary to the affected application, passing it to QuerySet.filter() in the form of **kwargs, when doing a key/index lookup on django.contrib.postgres.fields.JSONField, or against django.contrib.postgres.fields.HStoreField, SQL injection may occur when performing key lookups. Successful exploitation of this vulnerability could allow a remote attacker to read, delete, and modify data in the database.
Affected version
- Django master development branch
- Django 2.2 before version 2.2.4
- Django 2.1 before version 2.1.11
- Django 1.11 before version 1.11.23
Unaffected version
- Django 2.2.4
- Django 2.1.11
- Django 1.11.23
Solution:
Django officially released a new version to fix these vulnerabilities, please the affected users upgrade Django as soon as possible.