CVE-2019-14234: Django JSONField/HstoreField SQL Injection Vulnerability Alert

Recently, Django officially released a security bulletin to announce three vulnerability. The high-risk vulnerability is CVE-2019-14234, SQL injection possibility in key and index lookups for JSONField/HStoreField.

A remote attacker could send a well-crafted dictionary to the affected application, passing it to QuerySet.filter() in the form of **kwargs, when doing a key/index lookup on django.contrib.postgres.fields.JSONField, or against django.contrib.postgres.fields.HStoreField, SQL injection may occur when performing key lookups. Successful exploitation of this vulnerability could allow a remote attacker to read, delete, and modify data in the database.

Affected version

• Django master development branch
• Django 2.2 before version 2.2.4
• Django 2.1 before version 2.1.11
• Django 1.11 before version 1.11.23

Unaffected version

• Django 2.2.4
• Django 2.1.11
• Django 1.11.23

Solution:

Django officially released a new version to fix these vulnerabilities, please the affected users upgrade Django as soon as possible.