CVE-2019-14234

CRITICAL LAB

Django <1.11.23,2.1.11,2.2.4 - SQL Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2019-14234. PoCs published by malvika-thakur, giuliodamico.

AI-analyzed exploit summary This repository provides a functional proof-of-concept for CVE-2019-14234, a SQL injection vulnerability in Django's JSONField/HStoreField. It includes a Dockerized Django 2.2.3 environment with a vulnerable model and admin interface to demonstrate the exploit via crafted GET parameters.

Description

An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib.postgres.fields.HStoreField, were subject to SQL injection. This could, for example, be exploited via crafted use of "OR 1=1" in a key or index name to return all records, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to the QuerySet.filter() function.

Exploits (2)

nomisec WORKING POC 2 stars
by malvika-thakur · poc
https://github.com/malvika-thakur/CVE-2019-14234

This repository provides a functional proof-of-concept for CVE-2019-14234, a SQL injection vulnerability in Django's JSONField/HStoreField. It includes a Dockerized Django 2.2.3 environment with a vulnerable model and admin interface to demonstrate the exploit via crafted GET parameters.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: Django 2.2.3
Auth required
Prerequisites: Django 2.2.3 with JSONField/HStoreField in use · Access to Django admin interface
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by giuliodamico · poc
https://github.com/giuliodamico/CVE-2019-14234

This repository contains a functional Django application demonstrating CVE-2019-14234, a SQL injection vulnerability in Django's JSONField. The vulnerable code includes a Django model with a JSONField, and the setup allows for testing SQL injection via crafted queries.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Django 2.2.3 with PostgreSQL
No auth needed
Prerequisites: Docker environment to run the vulnerable application · PostgreSQL database
devstral-2 · analyzed Jun 04, 2026 Full analysis →

References (9)

Core 9
Core References
Mailing List, Third Party Advisory mailing-list x_refsource_bugtraq
https://seclists.org/bugtraq/2019/Aug/15
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2019/dsa-4498
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html
Vendor Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20190828-0002/
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/202004-17

Scores

CVSS v3 9.8
EPSS 0.2972
EPSS Percentile 96.8%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Lab Environment

COMMUNITY
Community Lab
docker pull vulhub/django:2.2.3

Details

CWE
CWE-89
Status published
Products (5)
debian/debian_linux 9.0
debian/debian_linux 10.0
djangoproject/django 1.11 - 1.11.23
fedoraproject/fedora 30
pypi/Django 1.11a1 - 1.11.23PyPI
Published Aug 09, 2019
Tracked Since Feb 18, 2026