DEBIAN-CVE-2019-14234
Advisory lineage Upstream: 1 Downstream: 1
Upstream
Downstream
Published: 09 Aug 2019, 13:15
Last modified:28 Apr 2026, 20:20
Vulnerability Summary
Overall Risk (default)
high
70/100 CVSS Score
9.8 CRITICAL
3.0 (osv_debian)
EPSS Score
No data
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
09 Aug 2019, 13:15
Published
Vulnerability first disclosed
28 Apr 2026, 20:20
Last Modified
Vulnerability information updated
Description
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib.postgres.fields.HStoreField, were subject to SQL injection. This could, for example, be exploited via crafted use of "OR 1=1" in a key or index name to return all records, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to the QuerySet.filter() function.
CVSS Metrics
- v3.0•CRITICAL•Score: 9.8CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Systems
- debian•python-django
< 2:2.2.4-1 | < 2:2.2.4-1 | < 2:2.2.4-1 | < 2:2.2.4-1