CVE-2019-14234 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2019-14234 Interim 1 23 2023-09-07T00:14:17Z current 2021-05-30T14:30:08Z 2023-09-07T00:14:17Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2019-14234 An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib.postgres.fields.HStoreField, were subject to SQL injection. This could, for example, be exploited via crafted use of "OR 1=1" in a key or index name to return all records, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to the QuerySet.filter() function. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://lists.suse.com/pipermail/sle-security-updates/2019-August/005830.html E-Mail link for SUSE-SU-2019:2180-1 https://www.suse.com/support/update/announcement/2019/suse-su-20192257-1.html E-Mail link for SUSE-SU-2019:2257-1 https://lists.suse.com/pipermail/sle-security-updates/2019-September/005894.html E-Mail link for SUSE-SU-2019:2335-1 https://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html E-Mail link for openSUSE-SU-2019:1839-1 https://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html E-Mail link for openSUSE-SU-2019:1872-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings HPE Helion OpenStack 8 SUSE Enterprise Storage 4 SUSE Enterprise Storage 5 SUSE OpenStack Cloud 6-LTSS SUSE OpenStack Cloud 7 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud Crowbar 9 SUSE Package Hub 15 SP1 openSUSE Leap 15.1 python-Django python-Django-1.11.23-3.12.1 python-Django-1.8.19-3.15.1 python-Django1-1.11.23-3.9.1 python3-Django-2.2.4-bp151.3.3.1 python3-Django-2.2.4-lp151.2.3.1 python-Django-1.11.23-3.12.1 as a component of HPE Helion OpenStack 8 python-Django-1.8.19-3.15.1 as a component of SUSE OpenStack Cloud 7 python-Django-1.11.23-3.12.1 as a component of SUSE OpenStack Cloud 8 python-Django1-1.11.23-3.9.1 as a component of SUSE OpenStack Cloud 9 python-Django-1.11.23-3.12.1 as a component of SUSE OpenStack Cloud Crowbar 8 python-Django1-1.11.23-3.9.1 as a component of SUSE OpenStack Cloud Crowbar 9 python3-Django-2.2.4-bp151.3.3.1 as a component of SUSE Package Hub 15 SP1 python3-Django-2.2.4-lp151.2.3.1 as a component of openSUSE Leap 15.1 python-Django as a component of SUSE Enterprise Storage 4 python-Django as a component of SUSE Enterprise Storage 5 python-Django as a component of SUSE OpenStack Cloud 6-LTSS An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib.postgres.fields.HStoreField, were subject to SQL injection. This could, for example, be exploited via crafted use of "OR 1=1" in a key or index name to return all records, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to the QuerySet.filter() function. CVE-2019-14234 HPE Helion OpenStack 8:python-Django-1.11.23-3.12.1 SUSE OpenStack Cloud 7:python-Django-1.8.19-3.15.1 SUSE OpenStack Cloud 8:python-Django-1.11.23-3.12.1 SUSE OpenStack Cloud 9:python-Django1-1.11.23-3.9.1 SUSE OpenStack Cloud Crowbar 8:python-Django-1.11.23-3.12.1 SUSE OpenStack Cloud Crowbar 9:python-Django1-1.11.23-3.9.1 SUSE Package Hub 15 SP1:python3-Django-2.2.4-bp151.3.3.1 openSUSE Leap 15.1:python3-Django-2.2.4-lp151.2.3.1 SUSE Enterprise Storage 4:python-Django SUSE Enterprise Storage 5:python-Django SUSE OpenStack Cloud 6-LTSS:python-Django important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H