Wind River Support Network

HomeDefectsLIN1018-6267
Fixed

LIN1018-6267 : Security Advisory - python3-django - CVE-2019-14234

Created: Jun 4, 2020    Updated: Jul 14, 2020
Resolved Date: Jun 21, 2020
Found In Version: 10.18.44.1
Fix Version: 10.18.44.18
Severity: Standard
Applicable for: Wind River Linux LTS 18
Component/s: Userspace

Description

An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib.postgres.fields.HStoreField, were subject to SQL injection. This could, for example, be exploited via crafted use of "OR 1=1" in a key or index name to return all records, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to the QuerySet.filter() function.

CREATE(Triage):(User=admin) [CVE-2019-14234|https://nvd.nist.gov/vuln/detail/CVE-2019-14234]

CVEs


Live chat
Online