CVE-2019-14234: SQL Injection
(updated )
Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField
, and key lookups for django.contrib.postgres.fields.HStoreField
, were subject to SQL injection. This could, for example, be exploited via crafted use of OR 1=1
in a key or index name to return all records, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs
passed to the QuerySet.filter()
function.
References
Detect and mitigate CVE-2019-14234 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →