ALPINE-CVE-2019-14234

Advisory lineage Upstream: 1 Downstream: 0

Upstream

CVE-2019-14234

Published: 09 Aug 2019, 13:15

Last modified:19 Nov 2025, 06:15

Vulnerability Summary

Overall Risk (default)

high

70/100

CVSS Score

9.8 CRITICAL

3.0 (osv_alpine)

EPSS Score

No data

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

09 Aug 2019, 13:15

Published

Vulnerability first disclosed

19 Nov 2025, 06:15

Last Modified

Vulnerability information updated

Description

An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib.postgres.fields.HStoreField, were subject to SQL injection. This could, for example, be exploited via crafted use of "OR 1=1" in a key or index name to return all records, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to the QuerySet.filter() function.

CVSS Metrics

v3.0•CRITICAL•Score: 9.8CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Systems

alpine•py-django
< 1.11.23-r0 | < 1.11.23-r0 | < 1.11.23-r0 | < 1.11.23-r0
alpine•py3-django
< 1.11.23-r0 | < 1.11.23-r0

References (1)

https://security.alpinelinux.org/vuln/CVE-2019-14234