CVE-2019-14234: Django JSONField/HstoreField SQL Injection Vulnerability Alert

Recently, Django officially released a security bulletin to announce three vulnerability. The high-risk vulnerability is CVE-2019-14234, SQL injection possibility in key and index lookups for JSONField/HStoreField.

CVE-2019-14234

A remote attacker could send a well-crafted dictionary to the affected application, passing it to QuerySet.filter() in the form of **kwargs, when doing a key/index lookup on django.contrib.postgres.fields.JSONField, or against django.contrib.postgres.fields.HStoreField, SQL injection may occur when performing key lookups. Successful exploitation of this vulnerability could allow a remote attacker to read, delete, and modify data in the database.

Affected version

  • Django master development branch
  • Django 2.2 before version 2.2.4
  • Django 2.1 before version 2.1.11
  • Django 1.11 before version 1.11.23

Unaffected version

  • Django 2.2.4
  • Django 2.1.11
  • Django 1.11.23

Solution:

Django officially released a new version to fix these vulnerabilities, please the affected users upgrade Django as soon as possible.