CVE-2019-14234
📋 TL;DR
This SQL injection vulnerability in Django's PostgreSQL JSONField and HStoreField allows attackers to execute arbitrary SQL queries through crafted key or index names. It affects Django applications using these PostgreSQL-specific fields with vulnerable versions, potentially leading to data exposure or manipulation.
💻 Affected Systems
- Django
📦 What is this software?
Django by Djangoproject
Django by Djangoproject
Django by Djangoproject
Fedora by Fedoraproject
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise allowing data exfiltration, modification, or deletion, potentially leading to full system takeover if database privileges permit.
Likely Case
Unauthorized data access allowing attackers to read sensitive information from database tables accessible to the application.
If Mitigated
Limited impact with proper input validation and database user privilege restrictions in place.
🎯 Exploit Status
Exploitation requires ability to pass crafted dictionary to QuerySet.filter() function, typically through user-controllable input in web applications.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Django 1.11.23, 2.1.11, or 2.2.4
Vendor Advisory: https://docs.djangoproject.com/en/dev/releases/security/
Restart Required: Yes
Instructions:
1. Backup your Django project and database. 2. Update Django using pip: 'pip install Django==1.11.23' or appropriate version. 3. Restart your Django application server. 4. Test application functionality.
🔧 Temporary Workarounds
Input Validation Workaround
allImplement strict input validation for all parameters passed to QuerySet.filter() when using JSONField or HStoreField
🧯 If You Can't Patch
- Implement WAF rules to block SQL injection patterns in request parameters
- Restrict database user permissions to minimum required for application functionality
🔍 How to Verify
Check if Vulnerable:
Check Django version with 'python -m django --version' and verify if it falls within affected ranges.Check Version:
python -m django --versionVerify Fix Applied:
Confirm Django version is 1.11.23, 2.1.11, 2.2.4 or higher using 'python -m django --version'.📡 Detection & Monitoring
Log Indicators:
- Unusual database query patterns
- Multiple failed login attempts followed by successful data extraction
- Requests with crafted dictionary parameters containing SQL keywords
Network Indicators:
- Unusual database connection patterns from application servers
- Large data transfers from database to unexpected destinations
SIEM Query:
source="django.log" AND ("JSONField" OR "HStoreField") AND ("OR 1=1" OR "UNION" OR "SELECT *" OR unusual query patterns)🔗 References
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html
- https://docs.djangoproject.com/en/dev/releases/security/
- https://groups.google.com/forum/#%21topic/django-announce/jIoju2-KLDs
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/STVX7X7IDWAH5SKE6MBMY3TEI6ZODBTK/
- https://seclists.org/bugtraq/2019/Aug/15
- https://security.gentoo.org/glsa/202004-17
- https://security.netapp.com/advisory/ntap-20190828-0002/
- https://www.debian.org/security/2019/dsa-4498
- https://www.djangoproject.com/weblog/2019/aug/01/security-releases/
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html
- https://docs.djangoproject.com/en/dev/releases/security/
- https://groups.google.com/forum/#%21topic/django-announce/jIoju2-KLDs
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/STVX7X7IDWAH5SKE6MBMY3TEI6ZODBTK/
- https://seclists.org/bugtraq/2019/Aug/15
- https://security.gentoo.org/glsa/202004-17
- https://security.netapp.com/advisory/ntap-20190828-0002/
- https://www.debian.org/security/2019/dsa-4498
- https://www.djangoproject.com/weblog/2019/aug/01/security-releases/
