9.8

CVSS Score

3.0

Basic Information

CVE ID

CVE-2019-14234

GHSA ID

GHSA-6r97-cj55-9hrq

EPSS Score

0.95104%

CWE

CWE-89

Published

8/16/2019

Updated

9/20/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-14234

CVE-2019-14234:
SQL Injection in Django

An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib.postgres.fields.HStoreField, were subject to SQL injection. This could, for example, be exploited via crafted use of "OR 1=1" in a key or index name to return all records, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to the QuerySet.filter() function.

(GitHub Advisory)

9.8

CVSS Score

3.0

Basic Information

CVE ID

CVE-2019-14234

GHSA ID

GHSA-6r97-cj55-9hrq

EPSS Score

0.95104%

CWE

CWE-89

Published

8/16/2019

Updated

9/20/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
Django	pip	>= 1.11a1, < 1.11.23	1.11.23
Django	pip	>= 2.1a1, < 2.1.11	2.1.11
Django	pip	>= 2.2a1, < 2.2.4	2.2.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper SQL query construction in the KeyTransform classes for HStoreField and JSONField. The original implementations in hstore.py and jsonb.py used unsafe string interpolation (via %-formatting) for key/index names when generating SQL fragments. This allowed attackers to inject malicious SQL via specially crafted key names in filter() kwargs. The patches replaced direct string interpolation with parameterized queries ([self.key_name] + params), confirming these functions were the injection vectors. The added test cases demonstrating 'OR 1=1' exploitation via key names further validate these as the vulnerable points.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in *j*n*o *.**.x ***or* *.**.**, *.*.x ***or* *.*.**, *n* *.*.x ***or* *.*.*. *u* to *n *rror in s**llow k*y tr*ns*orm*tion, k*y *n* in**x lookups *or *j*n*o.*ontri*.post*r*s.*i*l*s.JSON*i*l*, *n* k*y lookups *or *j*n*o.*ontri

Reasoning

T** vuln*r**ility st*ms *rom improp*r SQL qu*ry *onstru*tion in t** K*yTr*ns*orm *l*ss*s *or *Stor**i*l* *n* JSON*i*l*. T** ori*in*l impl*m*nt*tions in *stor*.py *n* json*.py us** uns*** strin* int*rpol*tion (vi* %-*orm*ttin*) *or k*y/in**x n*m*s w**

9.8

Basic Information

Concerned about an active attack path?

CVE-2019-14234: SQL Injection in Django

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2019-14234:
SQL Injection in Django

Vulnerability Intelligence
Miggo AI