Recently, Django officially released a security bulletin, announced three vulnerabilities. High risk vulnerability CVE-2019-14234, JSONField / HStoreField key and index to find SQL injection possibilities.
A remote attacker could send a carefully designed dictionary application to the affected, the implementation of key / index lookup on django.contrib.postgres.fields.JSONField, in the form ** kwargs will be passed to QuerySet.filter (), or for django.contrib.postgres.fields.HStoreField, may SQL injection occurs when performing a key lookup. Successful exploitation of this vulnerability could allow a remote attacker to read, delete and modify data in the database.
Affected versions
- Django master development branch
- Django 2.2 before version 2.2.4
- Django 2.1 before version 2.1.11
- Django 1.11 before version 1.11.23
Unaffected version
- Django 2.2.4
- Django 2.1.11
- Django 1.11.23
Solution:
Django would have officially released a new version to fix these vulnerabilities, please Django affected users upgrade as soon as possible.